Vulnerability in signoz project

[ankitdn]

While working in signoz project, I found that the application uses github.com/russellhaering/gosaml2, which is affected by a denial-of-service vulnerability in its AES-CBC decryption logic. The issue occurs in the DecryptBytes function, where malformed input can result in empty data after trimming, leading to an index out-of-range panic.

CVE Report
CVE Link

[welcome]

Thanks for opening this issue. A team member should give feedback soon. In the meantime, feel free to check out the contributing guidelines.

[H4ad]

Thanks for alerting us, would you like to open a PR for that?