Medium severity5.9NVD Advisory· Published Jun 4, 2018· Updated Jun 17, 2026
CVE-2017-16007
CVE-2017-16007
Description
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-josenpm | < 0.9.3 | 0.9.3 |
Affected products
2- Range: <0.9.3
Patches
Vulnerability mechanics
References
8- gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4aenvdPatchThird Party AdvisoryWEB
- blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.htmlnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-rvj9-8cvx-3vq9ghsaADVISORY
- nodesecurity.io/advisories/324nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-16007ghsaADVISORY
- github.com/cisco/node-jose/commit/f92cffb4a0398b4b1158be98423369233282e0afghsaWEB
- github.com/cisco/node-jose/compare/0.9.2...0.9.3ghsaWEB
- github.com/cisco/node-jose/pull/88ghsaWEB
News mentions
0No linked articles in our index yet.