jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
- Severity:
- Medium
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.
Recommendation
Update the jose package to the latest compatible version. Followings are version details:
Affected version(s): **< 2.0.7 >= 3.0.0, <= 4.15.4** Patched version(s): **2.0.7 4.15.5**
References
Related Issues
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- Tags:
- npm
- jose
Anything's wrong? Let us know Last updated on March 30, 2024