jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
- Severity:
- Medium
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.
Recommendation
Update the jose package to the latest compatible version. Followings are version details:
Affected version(s): **< 2.0.7 >= 3.0.0, <= 4.15.4** Patched version(s): **2.0.7 4.15.5**
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Tags:
- npm
- jose
Anything's wrong? Let us know Last updated on March 30, 2024