Description
Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
Proof of Concept
Recommendation
Update the node-jose package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.9.3
- Patched version(s): 0.9.3
References
Related Issues
- Firebase vulnerable to CRSF attack - CVE-2024-4128
- Cube API denial of service attack - CVE-2023-50709
- Prototype Pollution in protobufjs - CVE-2022-25878
- Cross-Site Scripting in highcharts - Vulnerability
- Tags:
- npm
- node-jose
Anything's wrong? Let us know Last updated on September 06, 2023