From 5161415653ce0fc21b3bfe76791c5d17b0bca3ff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 7 Apr 2026 09:48:15 +0200 Subject: [PATCH] BUG/MEDIUM: jwe: fix memory leak in jwt_decrypt_secret with var argument When the secret argument to jwt_decrypt_secret is a variable (ARGT_VAR) rather than a literal string, alloc_trash_chunk() is called to hold the base64-decoded secret but the buffer is never released. The end: label frees input, decrypted_cek, out, and the decoded_items array but not secret. Each request leaks one trash chunk (~tune.bufsize, default 16KB). At ~65000 requests per GiB this allows slow memory exhaustion DoS against any config of the form: http-request set-var(txn.x) req.hdr(...),jwt_decrypt_secret(txn.key) This must be backported as far as JWE support exists. --- src/jwe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/jwe.c b/src/jwe.c index d7497888e..e36b7b0d8 100644 --- a/src/jwe.c +++ b/src/jwe.c @@ -738,6 +738,7 @@ static int sample_conv_jwt_decrypt_secret(const struct arg *args, struct sample end: clear_jose_fields(&fields); free_trash_chunk(input); + free_trash_chunk(secret); free_trash_chunk(decrypted_cek); free_trash_chunk(out); clear_decoded_items(decoded_items);