node-jose

Invalid Curve Attack

Severity: high

Overview

Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Proof of Concept

Remediation

Update to version 0.9.3 or later.

Vulnerable versions

0.3.0
3 years ago
0.3.1
3 years ago
0.4.0
3 years ago
0.5.0
3 years ago
0.5.1
3 years ago
0.5.2
3 years ago
0.6.0
3 years ago
0.7.0
3 years ago
0.7.1
3 years ago
0.8.0
2 years ago
0.8.1
2 years ago
0.9.0
2 years ago
0.9.1
2 years ago
0.9.2
2 years ago

Unaffected versions

0.9.3
2 years ago
0.9.4
a year ago
0.9.5
a year ago
0.10.0
a year ago
0.11.0
9 months ago
0.11.1
3 months ago
1.0.0
3 months ago

Advisory timeline

  1. published

    Advisory published
    Mar 13th, 2017
  2. reported

    Mar 13th, 2017