CVE-2023-25653
Last modified
CVE-2023-25653 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. EPSS estimates a 0.55% chance of exploitation in the next 30 days.
Description
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Node-Jose | < 2.2.0 |
References
- https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhwTechnical Description, Vendor Advisory
- https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhwTechnical Description, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-25653?
How severe is CVE-2023-25653?
How do I fix CVE-2023-25653?
Are you affected by CVE-2023-25653?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST