node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.
CVE-2023-25653 - High Severity Vulnerability
Vulnerable Library - node-jose-1.1.4.tgz
A JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers
Library home page: https://registry.npmjs.org/node-jose/-/node-jose-1.1.4.tgz
Path to dependency file: /trustid-sdk/package.json
Path to vulnerable library: /trustid-sdk/node_modules/node-jose/package.json
Dependency Hierarchy: - :x: **node-jose-1.1.4.tgz** (Vulnerable Library)
Found in HEAD commit: 1c9178c5a1b42520307da1fa7f9b1899276178ed
Found in base branch: master
Vulnerability Details
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.
Publish Date: 2023-02-16
URL: CVE-2023-25653
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw
Release Date: 2023-02-16
Fix Resolution: 2.2.0
Step up your Open Source Security Game with Mend here