Jose Project Jose vulnerabilities

6 known vulnerabilities affecting jose_project/jose.

Total CVEs

6

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1

CVE-2026-34240HIGH≥ 0, < 0.3.5+12026-03-31

CVE-2026-34240 [HIGH] CWE-347 jose vulnerable to untrusted JWK header key acceptance during signature verification jose vulnerable to untrusted JWK header key acceptance during signature verification ### Impact A vulnerability in `jose` versions up to and including `0.3.5` could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (`jwk`). The vulnerability exists because key selection could treat header-provided `jwk` as a verific

CVE-2023-50967HIGHCVSS 7.5≥ 0, < 10-3+deb11u1≥ 0, < 11-2+deb12u1+1 more2024-03-20

CVE-2023-50967 [HIGH] CVE-2023-50967: latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

CVE-2023-50966MEDIUM≥ 0, < 1.11.72024-03-19

CVE-2023-50966 [MEDIUM] CWE-400 erlang-jose vulnerable to denial of service via large p2c value erlang-jose vulnerable to denial of service via large p2c value erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.

CVE-2024-28176MEDIUMCVSS 5.9fixed in 2.0.7≥ 3.0.0, < 4.15.52024-03-09

CVE-2024-28176 [MEDIUM] CWE-400 CVE-2024-28176: jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tok jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for

CVE-2022-36083MEDIUMCVSS 5.3≥ 1.0.0, < 1.28.2≥ 2.0.0, < 2.0.6+2 more2022-09-07

CVE-2022-36083 [MEDIUM] CWE-400 CVE-2022-36083: JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runt JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in ord

CVE-2021-29443MEDIUMCVSS 5.9≥ 1.0.0, < 1.28.1≥ 2.0.0, < 2.0.5+1 more2021-04-16

CVE-2021-29443 [MEDIUM] CWE-203 CVE-2021-29443: jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CB jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A possibly observable difference in timing when