Unrated severityNVD Advisory· Published Feb 1, 2023· Updated Mar 10, 2025

reason-jose ignores signature checks

CVE-2023-23928

Description

reason-jose is a JOSE implementation in ReasonML and OCaml.Jose.Jws.validate does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

Affected products

Ulrikstrid/Reason Josev5
Range: < 0.8.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5mitrex_refsource_MISC
github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2mitrex_refsource_MISC
github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000