VYPR

npm package

node-jose

pkg:npm/node-jose

Vulnerabilities (3)

  • CVE-2023-25653Feb 16, 2023
    affected < 2.2.0fixed 2.2.0

    node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS)

  • CVE-2017-16007MedJun 4, 2018
    affected < 0.9.3fixed 0.9.3

    node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key w

  • CVE-2018-0114HigJan 4, 2018
    affected < 0.11.0fixed 0.11.0

    A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON