Invalid Curve Attack in node-jose

Severity:: Medium

Description

Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Proof of Concept

Recommendation

Update the node-jose package to the latest compatible version. Followings are version details:

Affected version(s): < 0.9.3
Patched version(s): 0.9.3

References

GHSA-rvj9-8cvx-3vq9
blog.intothesymmetry.com
CVE-2017-16007
CWE-200
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime - CVE-2021-29445
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime - CVE-2021-29446
Cisco node-jose improper validation of JWT signature - CVE-2018-0114
Invalid Curve Attack in openpgp - CVE-2019-9155

Tags:: npm; node-jose

Anything's wrong? Let us know Last updated on September 06, 2023