JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2

Severity:: Medium

Description

The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c (PBES2 Count), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key.

Recommendation

Update the jose-node-cjs-runtime package to the latest compatible version. Followings are version details:

Affected version(s): **>= 4.0.0, <= 4.9.1 >= 3.0.0, <= 3.20.3**
Patched version(s): **4.9.2 3.20.4**

References

GHSA-jv3g-j58f-9mq9
CVE-2022-36083
CWE-400
CWE-834
CAPEC-310
OWASP 2021-A6

Related Issues

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134

Tags:: npm; jose-node-cjs-runtime

Anything's wrong? Let us know Last updated on July 21, 2023