@tadashi/jwt@6.0.0

Vulnerabilities

1 via 1 paths

Dependencies

5

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Timing Attack

  • Vulnerable module: jose
  • Introduced through: jose@2.0.1

Detailed paths

  • Introduced through: @tadashi/jwt@6.0.0 jose@2.0.1
    Remediation: Upgrade to jose@2.0.5.

Overview

jose is an Universal 'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK with no dependencies

Affected versions of this package are vulnerable to Timing Attack. A difference in task execution timing may be observed in the AES_CBC_HMAC_SHA2 Algorithm when a padding error occurs during decryption, which may allow a malicious actor to decrypt data without the key.

Remediation

Upgrade jose to version 1.28.1, 2.0.5, 3.11.4 or higher.

References