jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) 2
- Severity:
- Medium
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.
Recommendation
Update the jose-node-cjs-runtime package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.15.4
- Patched version(s): 4.15.5
References
Related Issues
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) - CVE-2024-28176
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3 - CVE-2022-36083
- Tags:
- npm
- jose-node-cjs-runtime
Anything's wrong? Let us know Last updated on March 30, 2024