CVE-2023-25653

HIGH

node-jose < 2.2.0 - Denial of Service via ECC Operations in Fallback Crypto Backend

Title source: llm

Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.

References (2)

Core 2

Core References

Technical Description, Vendor Advisory x_refsource_confirm

https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw

Patch x_refsource_misc

https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 41.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (2)

cisco/node-jose < 2.2.0

npm/node-jose 0 - 2.2.0npm

Published Feb 16, 2023

Tracked Since Feb 18, 2026