CVE-2024-28176

MEDIUM

Jose < 2.0.7 - Denial of Service

Title source: rule
STIX 2.1

Description

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

References (8)

Core 8
Core References

Scores

CVSS v3 4.9
EPSS 0.0057
EPSS Percentile 68.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (5)
fedoraproject/fedora 38 - 40
jose_project/jose < 2.0.7
npm/jose 3.0.0 - 4.15.5npm
npm/jose-node-cjs-runtime 0 - 4.15.5npm
npm/jose-node-esm-runtime 0 - 4.15.5npm
Published Mar 09, 2024
Tracked Since Feb 18, 2026