High-Severity DoS Vulnerability Patched in go-jose/v4 Library (CVE-2026-34986)

A critical security update has been issued for the widely-used `go-jose/v4` library, patching a high-severity denial-of-service vulnerability. The flaw, tracked as CVE-2026-34986 with a CVSS score of 7.5, could cause applications to crash when processing malformed encrypted data, posing a significant risk to service stability.

The vulnerability specifically resides in the library's JWE decryption logic for key-wrapping algorithms. When an `encrypted_key` field is empty, the decryption process triggers a panic, leading to an immediate application crash and denial of service. The fix, implemented in version 4.1.4, adds proper nil and empty slice validation before the vulnerable `cipher.KeyUnwrap()` call, preventing the crash.

This patch is now being rolled out, as evidenced by a recent commit that upgraded the dependency from 4.1.3 to 4.1.4 in a backend module. The update passed all existing tests, indicating a focused fix. Developers and security teams relying on this library for JSON Web Encryption must prioritize this upgrade to mitigate the risk of targeted DoS attacks exploiting this predictable crash vector.