Parente95481A

**Name of the Vulnerable Software and Affected Versions** node-jose versions prior to 2.2.0 **Description** The issue is related to a Denial-of-Service (DoS) condition in the "fallback" crypto back-end of node-jose, which can be triggered by malicious input or randomly for some ECC operations. This condition is caused by a possible infinite loop in an internal calculation due to the `jsbn` `modInverse` function sometimes returning negative results. The affected elliptic curve algorithms include key generation, converting a private key to a public key, ECDSA signing and verification, and ECDH key agreement. **Recommendations** For versions prior to 2.2.0, ensure that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run to avoid the issue. Update to version 2.2.0 or later to resolve the issue.