JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3

Severity:: Medium

Description

The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c (PBES2 Count), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key.

Recommendation

Update the jose-browser-runtime package to the latest compatible version. Followings are version details:

Affected version(s): **>= 4.0.0, <= 4.9.1 >= 3.0.0, <= 3.20.3**
Patched version(s): **4.9.2 3.20.4**

References

GHSA-jv3g-j58f-9mq9
CVE-2022-36083
CWE-400
CWE-834
CAPEC-310
OWASP 2021-A6

Related Issues

matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134

Tags:: npm; jose-browser-runtime

Anything's wrong? Let us know Last updated on July 21, 2023