Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime
Description
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4. Users should upgrade to ^3.11.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A timing-based padding oracle in jose-node-cjs-runtime prior to 3.11.4 allows an attacker to decrypt AES-CBC-HMAC-SHA2 ciphertexts without the key.
Vulnerability
In jose-node-cjs-runtime versions prior to 3.11.4, the AES_CBC_HMAC_SHA2 algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) performed HMAC tag verification and CBC decryption sequentially without early termination. If either step failed, a generic JWEDecryptionFailed error was thrown, but the timing of the decryption step varied depending on whether a padding error occurred. This creates a padding oracle vulnerability [1][3].
Exploitation
An attacker can send crafted ciphertexts to a decryption oracle and measure the response time. By observing differences in timing when a padding error occurs versus when it does not, the attacker can issue on average 128 * b chosen ciphertext queries (where b is the number of bytes in the ciphertext block) to decrypt the data without knowledge of the decryption key [1][3]. No authentication or special network position is required beyond access to the decryption endpoint.
Impact
Successful exploitation allows the attacker to decrypt arbitrary ciphertexts protected by the affected algorithms, leading to full disclosure of encrypted data. The confidentiality of JWEs (JSON Web Encryption) using AES-CBC-HMAC-SHA2 is compromised [1][3]. The attacker does not gain the ability to encrypt or forge messages, only to decrypt existing ones.
Mitigation
The vulnerability is fixed in jose-node-cjs-runtime version 3.11.4 and later. Users should upgrade to ^3.11.4 immediately [1][3]. No workaround is available for earlier versions. The advisory credits Morgan Brown of Microsoft for discovery [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jose-node-cjs-runtimenpm | < 3.11.4 | 3.11.4 |
Affected products
2- panva/jose-node-cjs-runtimev5Range: < 3.11.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rvcw-f68w-8h8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29446ghsaADVISORY
- github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8hghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/jose-node-cjs-runtimeghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.