Go-JOSE v4.1.4 Security Patch Fixes Panic Vulnerability in JWE Decryption (CVE-2026-34986)

A critical security update for the widely-used Go-JOSE library patches a vulnerability that can cause a denial-of-service panic during JWE decryption. The flaw, tracked as CVE-2026-34986, is triggered when decrypting a JSON Web Encryption (JWE) object that uses a key wrapping algorithm (ending in `KW`) but contains an empty `encrypted_key` field. This specific malformed input causes the `cipher.KeyUnwrap()` function in `key_wrap.go` to attempt allocating a slice with a zero or negative length, resulting in an immediate runtime panic.

The vulnerability directly impacts the `github.com/go-jose/go-jose/v4` library, a core component for implementing JOSE standards (JWT, JWE, JWS) in Go applications. The issue is reachable from the `ParseEncrypted` function, meaning any service or application that processes external JWE tokens using affected key wrap algorithms is exposed. The patch, version v4.1.4, replaces the previous v4.1.3 release to resolve this defect.

This is a security-sensitive dependency update with broad implications. The library is foundational for authentication, authorization, and secure data exchange in countless Go-based microservices, APIs, and cloud-native applications. While the immediate impact is a service crash (panic), the flaw creates a reliable vector for denial-of-service attacks against any endpoint that accepts and attempts to decrypt maliciously crafted JWE tokens. Development and security teams must prioritize applying this patch to mitigate the risk of unexpected service disruptions.