JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9)
- Severity:
- Medium
Description
The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c (PBES2 Count), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key.
Recommendation
Update the jose-node-esm-runtime package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0, <= 4.9.1 >= 3.0.0, <= 3.20.3** Patched version(s): **4.9.2 3.20.4**
References
Related Issues
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service - CVE-2022-35204
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) - CVE-2024-28176
- Tags:
- npm
- jose-node-esm-runtime
Anything's wrong? Let us know Last updated on July 21, 2023