Padding Oracle Attack due to Observable Timing Discrepancy in jose
Description
jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are ^1.28.1 || ^2.0.5 || >=3.11.4. Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4. Thanks to Jason from Microsoft Vulnerability Research (MSVR) for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jose npm library's AES_CBC_HMAC_SHA2 decryption is vulnerable to a padding oracle attack due to observable timing discrepancies, allowing an attacker to decrypt data without the key.
Vulnerability
The jose npm library's implementation of the AES_CBC_HMAC_SHA2 algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) performs both HMAC tag verification and CBC decryption before throwing JWEDecryptionFailed if either fails [1][2]. This creates a timing side-channel: a padding error during CBC decryption produces a measurably different response time, effectively creating a padding oracle [1][2]. All versions prior to the patches are affected: v1.x before 1.28.1, v2.x before 2.0.5, and v3.x before 3.11.4 [1][2].
Exploitation
An attacker with network access to a system using the vulnerable library can send chosen ciphertexts and observe the response timing [1][2]. By issuing on average 128*b calls (where b is the ciphertext block size in bytes) to the padding oracle, the attacker can decrypt arbitrary ciphertext blocks without knowledge of the decryption key [1][2]. No authentication or special privileges are required beyond the ability to interact with the decryption endpoint [1][2].
Impact
Successful exploitation allows an attacker to decrypt data that was encrypted using the affected AES_CBC_HMAC_SHA2 algorithms, leading to full disclosure of the encrypted content [1][2]. The attacker gains no code execution or privilege escalation, but the confidentiality of the encrypted data is completely compromised [1][2].
Mitigation
The vulnerability is fixed in versions ^1.28.1, ^2.0.5, and >=3.11.4 [1][2]. Users should upgrade their dependencies accordingly [1][2]. The patch ensures that HMAC tag verification is performed before CBC decryption, eliminating the timing oracle [2]. No workarounds are available for unpatched versions [1][2]. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
josenpm | >= 1.0.0, < 1.28.1 | 1.28.1 |
josenpm | >= 2.0.0, < 2.0.5 | 2.0.5 |
josenpm | >= 3.0.0, < 3.11.4 | 3.11.4 |
Affected products
2- panva/josev5Range: < 1.28.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-58f5-hfqc-jgchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29443ghsaADVISORY
- github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgchghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/joseghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.