CVE-2023-25653

Name of the Vulnerable Software and Affected Versions node-jose versions prior to 2.2.0

Description The issue is related to a Denial-of-Service (DoS) condition in the "fallback" crypto back-end of node-jose, which can be triggered by malicious input or randomly for some ECC operations. This condition is caused by a possible infinite loop in an internal calculation due to the jsbn modInverse function sometimes returning negative results. The affected elliptic curve algorithms include key generation, converting a private key to a public key, ECDSA signing and verification, and ECDH key agreement.

Recommendations For versions prior to 2.2.0, ensure that either WebCrypto or the Node crypto module is available in the JS environment where node-jose is being run to avoid the issue. Update to version 2.2.0 or later to resolve the issue.