Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime
Description
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4. Users should upgrade to ^3.11.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In jose-browser-runtime <3.11.4, observable timing differences in AES_CBC_HMAC_SHA2 decryption create a padding oracle enabling plaintext recovery.
Vulnerability
In jose-browser-runtime versions prior to 3.11.4, the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption routine always executed both HMAC tag verification and CBC decryption. If either failed, JWEDecryptionFailed was thrown; however, the timing of the padding error during CBC decryption could differ observably, creating a padding oracle [1][3].
Exploitation
An attacker with network access to a system that decrypts JWE ciphertexts using the vulnerable algorithm can observe timing differences in decryption responses. By crafting ciphertexts and measuring response times, the attacker can issue on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block) to infer plaintext content without possessing the decryption key [1][3].
Impact
Successful exploitation allows the attacker to recover plaintext data from encrypted messages. This compromises confidentiality of data encrypted using the affected algorithms. No authentication or user interaction is required beyond the ability to send ciphertexts to the decryption endpoint [1].
Mitigation
A patch was released in version 3.11.4 that ensures the HMAC tag is verified before performing CBC decryption, preventing the timing side channel. Users should upgrade to ^3.11.4 or later [1][3]. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jose-browser-runtimenpm | < 3.11.4 | 3.11.4 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-94hh-pjjg-rwmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29444ghsaADVISORY
- github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmrghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/jose-browser-runtimeghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.