CVE-2024-28176

Name of the Vulnerable Software and Affected Versions jose versions prior to 2.0.7 jose versions prior to 4.15.5

Description A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions, it is possible to have the user's environment consume an unreasonable amount of CPU time or memory during JWE Decryption operations. The impact is limited to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.

Recommendations For versions prior to 2.0.7, update to version 2.0.7 to limit the decompression routine and prevent excessive CPU time or memory consumption. For versions prior to 4.15.5, update to version 4.15.5 to limit the decompression routine and prevent excessive CPU time or memory consumption. In version 4.x, further adjust the limit via the inflateRaw decryption option implementation. As a temporary workaround, detect and reject JWEs with compressed payloads by checking the token's protected header and throwing an error if compression is detected.