@tadashi/jwt@4.0.0

Vulnerabilities

1 via 1 paths

Dependencies

9

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Timing Attack

  • Vulnerable module: jose
  • Introduced through: jose@1.18.1

Detailed paths

  • Introduced through: @tadashi/jwt@4.0.0 jose@1.18.1
    Remediation: Upgrade to @tadashi/jwt@7.0.0.

Overview

jose is an Universal 'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK with no dependencies

Affected versions of this package are vulnerable to Timing Attack. A difference in task execution timing may be observed in the AES_CBC_HMAC_SHA2 Algorithm when a padding error occurs during decryption, which may allow a malicious actor to decrypt data without the key.

Remediation

Upgrade jose to version 1.28.1, 2.0.5, 3.11.4 or higher.

References