To report a security vulnerability, please use GitHub Security Advisories.

Please do not report security vulnerabilities through public GitHub issues.

When reporting, include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

You can expect an initial response within 48 hours. We will work with you to understand the issue and coordinate disclosure.

gose is a JOSE (JSON Object Signing and Encryption) library that delegates all cryptographic primitives to kryptos, which in turn uses platform-native implementations:

• Erlang target: OTP :crypto and :public_key modules (OpenSSL/LibreSSL)
• JavaScript target: Node.js crypto module (OpenSSL)

gose does not implement any cryptographic primitives itself. Security of the underlying operations depends on kryptos and the platform implementations being correct and up to date.

gose uses phantom types to prevent common misuse at compile time:

• JWS: Jws(Unsigned) cannot be serialized; only Jws(Signed) can
• JWE: Jwe(Unencrypted, ...) cannot be serialized; only Jwe(Encrypted, ...) can
• JWT: Claims are only accessible from Jwt(Verified), not Jwt(Unverified)
• JWE algorithm families: Phantom types restrict builder methods to their correct algorithm family (e.g., with_apu only compiles for ECDH-ES, not Direct)

All verifier and decryptor constructors require the caller to specify the expected algorithm up front. The library rejects tokens whose header algorithm does not match, preventing algorithm confusion attacks where an attacker substitutes a weaker algorithm (e.g., replacing RS256 with HS256).

Before signing, verification, encryption, or decryption, gose validates:

• Key type: The key type matches the algorithm (e.g., RSA keys for RS256, EC keys for ES256)
• Key use (use): If set, must be appropriate for the operation (sig for signing, enc for encryption)
• Key operations (key_ops): If set, must include the required operation (e.g., sign, verify, wrapKey)
• Key algorithm (alg): If set on the key, must match the requested algorithm

verify_and_validate enforces standard JWT claims:

• exp: Token must not be expired (required by default)
• nbf: Token must not be used before the not-before time
• iss: If an expected issuer is configured, it must match
• aud: If an expected audience is configured, the token must include it

The following are supported for interoperability with existing systems but are not recommended for new applications:

• RSA PKCS#1 v1.5 signing (RS256/RS384/RS512): Less robust than PSS; prefer PS256/PS384/PS512
• RSA PKCS#1 v1.5 key encryption (RSA1_5): Vulnerable to padding oracle attacks (Bleichenbacher); prefer RSA-OAEP or RSA-OAEP-256

Recommended: Node.js 22 or later

Node.js 20.x has a known vulnerability (CVE-2023-46809) affecting RSA PKCS#1 v1.5 decryption (Marvin attack). The underlying kryptos library disables PKCS#1 v1.5 decryption on affected versions.

Use a currently supported OTP version with up-to-date OpenSSL/LibreSSL.