jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext

Severity:: Medium

Description

A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.

Recommendation

Update the jose package to the latest compatible version. Followings are version details:

Affected version(s): **< 2.0.7 >= 3.0.0, <= 4.15.4**
Patched version(s): **2.0.7 4.15.5**

References

GHSA-hhhv-q57g-882q
lists.fedoraproject.org
CVE-2024-28176
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) - CVE-2024-28176
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) 2 - CVE-2024-28176
JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3 - CVE-2022-36083
JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) - CVE-2022-36083

Tags:: npm; jose

Anything's wrong? Let us know Last updated on March 30, 2024