Caddy Web Server Binary Contains High-Severity DoS Vulnerability in go-jose Dependency (GHSA-78h2-9frx-2jm8)

A high-severity denial-of-service vulnerability has been identified within the Caddy web server binary, posing a direct risk to systems using the popular open-source software. The Grype supply chain scanner flagged the issue, GHSA-78h2-9frx-2jm8, with a CVSS score of 7.5. The flaw resides in two embedded versions of the `go-jose` library, a critical component for handling JSON Web Encryption (JWE). Specifically, the Caddy binary (`/usr/bin/caddy`) contains the vulnerable `go-jose/v3` v3.0.4 and `go-jose/v4` v4.1.3. An attacker can exploit this by sending a crafted JWE input, triggering an unrecoverable panic during the decryption process and crashing the server.

The vulnerability is a transitive dependency; the Charon project does not use `go-jose` directly, but inherits it through the embedded Caddy binary. This creates a complex supply chain exposure where the fix must be applied upstream. Patched versions of the libraries are available (`go-jose/v3` v3.0.5 and `go-jose/v4` v4.1.4), but they are not yet integrated into a Caddy release. As a temporary mitigation, the project has added ignore rules to its `.grype.yaml` configuration file, set to expire on May 5, 2026, effectively acknowledging the risk while deferring a permanent fix.

This situation highlights the persistent challenge of managing deep, nested dependencies in modern software. The resolution path is entirely dependent on the Caddy upstream maintainers. The project must monitor for a new Caddy release that includes the patched `go-jose` libraries, then rebuild its binary and finally remove the temporary ignore rules. Until then, systems running the affected Caddy binary remain exposed to a potential denial-of-service attack from a malicious actor capable of sending crafted JWE payloads.