Invalid Curve Attack

2017-03-1400:10:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

60.9%

JSON

node-jose, nimbus-jose-jwt and jose4j are vulnerable to invalid curve attacks. These attacks are possible when using key agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES), allowing attackers to recover the private secret key.

CPENameOperatorVersion
jose4jle0.5.4
jose4jle0.4.4
node-josele0.9.2
nimbus jose+jwtle4.34.1

Name	Operator	Version
jose4j	le	0.5.4
jose4j	le	0.4.4
node-jose	le	0.9.2
nimbus jose+jwt	le	4.34.1

References

blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html

gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae

github.com/cisco/node-jose

github.com/cisco/node-jose/pull/88

nodesecurity.io/advisories/324

0.002 Low

EPSS

Percentile

60.9%

JSON

Related for VERACODE:3653