jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q)
- Severity:
- Medium
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.
Recommendation
Update the jose-node-esm-runtime package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.15.4
- Patched version(s): 4.15.5
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime - CVE-2021-29445
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) - CVE-2022-36083
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- jose-node-esm-runtime
Anything's wrong? Let us know Last updated on March 30, 2024