Summary
The Grype supply chain scan has identified GHSA-78h2-9frx-2jm8 (HIGH — CVSS 7.5) in two versions of go-jose embedded in the Caddy binary (/usr/bin/caddy):
github.com/go-jose/go-jose/v3 v3.0.4 → fix available in v3.0.5github.com/go-jose/go-jose/v4 v4.1.3 → fix available in v4.1.4
Vulnerability Details
Type: Denial of Service — JWE decryption panic
Advisory: GHSA-78h2-9frx-2jm8
Attack Vector: Crafted JWE input causes unrecoverable panic during decryption
Current Mitigation
- Temporary ignore rules added to
.grype.yaml with expiry 2026-05-05
- Charon does not use
go-jose directly; this is a transitive dependency embedded in the Caddy binary
Resolution Path
- Monitor upstream Caddy releases for a version that includes patched go-jose
- Once available, rebuild the Caddy binary with the updated dependency
- Remove the corresponding ignore rules from
.grype.yaml
Acceptance Criteria
Summary
The Grype supply chain scan has identified GHSA-78h2-9frx-2jm8 (HIGH — CVSS 7.5) in two versions of
go-joseembedded in the Caddy binary (/usr/bin/caddy):github.com/go-jose/go-jose/v3v3.0.4 → fix available in v3.0.5github.com/go-jose/go-jose/v4v4.1.3 → fix available in v4.1.4Vulnerability Details
Type: Denial of Service — JWE decryption panic
Advisory: GHSA-78h2-9frx-2jm8
Attack Vector: Crafted JWE input causes unrecoverable panic during decryption
Current Mitigation
.grype.yamlwith expiry 2026-05-05go-josedirectly; this is a transitive dependency embedded in the Caddy binaryResolution Path
.grype.yamlAcceptance Criteria
.grype.yaml