jose is JavaScript module for JSON Object Signing and Encryption, providing
support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web
Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A
vulnerability has been identified in the JSON Web Encryption (JWE)
decryption interfaces, specifically related to the support for
decompressing plaintext after its decryption. Under certain conditions it
is possible to have the user’s environment consume unreasonable amount of
CPU time or memory during JWE Decryption operations. This issue has been
patched in versions 2.0.7 and 4.15.5.
github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314
github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b
github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q
launchpad.net/bugs/cve/CVE-2024-28176
nvd.nist.gov/vuln/detail/CVE-2024-28176
security-tracker.debian.org/tracker/CVE-2024-28176
www.cve.org/CVERecord?id=CVE-2024-28176