go-jose v2.6.3 CVE-2025-27144 resolution

[cloudxxx8]

There is a CVE in go-jose v2.6.3
Our project depends on openziti sdk-golang, so this dependency is included

sdk-golang/go.mod

Line 87 in d060e6e

gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect

Please see more details from the dependabot security adviosry
https://www.mend.io/vulnerability-database/CVE-2025-27144?utm_source=JetBrains

Please see if you can upgrade to the latest go-jose lib in v4
https://github.com/go-jose/go-jose

[plorenz]

We're getting this transitively from the zitidel/oidc library. Looks like they've had a major version bump, so we'll do that upgrade which should resolve this.