Go-JOSE v3 Security Patch: JWE Decryption Panic Vulnerability (CVE-2026-34986)

A critical vulnerability in the widely-used Go-JOSE library triggers a runtime panic when processing malformed JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, resides in the key unwrapping logic and can crash any service that attempts to decrypt a JWE with a specific, anomalous structure. This creates an immediate denial-of-service risk for applications handling encrypted tokens, including authentication systems and API gateways.

The vulnerability is triggered when a JWE object uses a key wrapping algorithm (denoted by an `alg` field ending in `KW`, except for the GCMKW variants) but contains an empty `encrypted_key` field. When the `cipher.KeyUnwrap()` function in `key_wrap.go` attempts to process this empty data, it tries to allocate a slice with a zero or negative length, causing the program to panic. The code path is directly reachable via the standard `ParseEncrypted` function, making exploitation straightforward for an attacker who can submit crafted JWE tokens.

The maintainers have released version v3.0.5 to patch this issue. The update is classified as a security patch, and the advisory strongly urges all projects with an indirect dependency on `github.com/go-jose/go-jose/v3` to upgrade immediately. The warning highlights that failure to apply this patch leaves backend services vulnerable to targeted crashes by feeding them invalid encrypted data, potentially disrupting critical authentication flows and data processing pipelines.