Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/jose@1.17.2

Type npm

Namespace

Name jose

Version 1.17.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.0.7

Latest_non_vulnerable_version 5.0.0

Affected_by_vulnerabilities

url VCID-2uh2-9xx8-vkcn

vulnerability_id VCID-2uh2-9xx8-vkcn

summary

Information Exposure Through Discrepancy
jose is an npm library providing a number of cryptographic operations.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29443

reference_id

reference_type

scores

value	0.00316
scoring_system	epss
scoring_elements	0.54991
published_at	2026-06-04T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55048
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29443

reference_url

https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch

reference_url

https://www.npmjs.com/package/jose

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29443

reference_id

CVE-2021-29443

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29443

fixed_packages

url pkg:npm/jose@1.28.1

purl pkg:npm/jose@1.28.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-7vsr-f3b9-k3fs

vulnerability	VCID-busd-dhkj-z3dn

vulnerability	VCID-nmpf-59gu-5bfq

vulnerability	VCID-t9xr-pum6-rfcc

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.28.1

url pkg:npm/jose@2.0.5

purl pkg:npm/jose@2.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-7vsr-f3b9-k3fs

vulnerability	VCID-busd-dhkj-z3dn

vulnerability	VCID-nmpf-59gu-5bfq

vulnerability	VCID-t9xr-pum6-rfcc

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.5

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-nmpf-59gu-5bfq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29443, GHSA-58f5-hfqc-jgch

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2uh2-9xx8-vkcn

url VCID-3e3m-ebuj-1ke6

vulnerability_id VCID-3e3m-ebuj-1ke6

summary

jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.

Note that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.

### Impact

Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.

### Affected users

The impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.

You are NOT affected if any of the following applies to you

- Your code uses jose version v5.x where JWE Compression is not supported anymore
- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box
- Your code does not use the JWE decryption APIs
- Your code only accepts JWEs produced by trusted sources

### Patches

`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.

### Workarounds

If you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header

```js
const { zip } = jose.decodeProtectedHeader(token)
if (zip !== undefined) {
  throw new Error('JWE Compression is not supported')
}
```

If you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.

### For more information
If you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28176.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28176.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28176

reference_id

reference_type

scores

value	0.00572
scoring_system	epss
scoring_elements	0.69063
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28176

reference_url

https://github.com/panva/jose

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose

reference_url

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314

reference_url

https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2268820
reference_id	2268820
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2268820

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-28176

reference_id

CVE-2024-28176

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-28176

reference_url

https://github.com/advisories/GHSA-hhhv-q57g-882q

reference_id

GHSA-hhhv-q57g-882q

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hhhv-q57g-882q

reference_url

https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

reference_id

GHSA-hhhv-q57g-882q

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/

reference_id

I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/

reference_id

KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/

reference_url	https://access.redhat.com/errata/RHSA-2024:3826
reference_id	RHSA-2024:3826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3826

reference_url	https://access.redhat.com/errata/RHSA-2024:3827
reference_id	RHSA-2024:3827
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3827

reference_url	https://access.redhat.com/errata/RHSA-2024:3968
reference_id	RHSA-2024:3968
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3968

reference_url	https://access.redhat.com/errata/RHSA-2024:5094
reference_id	RHSA-2024:5094
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5094

reference_url	https://access.redhat.com/errata/RHSA-2024:5294
reference_id	RHSA-2024:5294
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5294

reference_url	https://access.redhat.com/errata/RHSA-2024:6755
reference_id	RHSA-2024:6755
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6755

reference_url	https://access.redhat.com/errata/RHSA-2024:8676
reference_id	RHSA-2024:8676
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8676

reference_url	https://access.redhat.com/errata/RHSA-2024:9181
reference_id	RHSA-2024:9181
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:9181

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/

reference_id

UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/

reference_id

UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/

reference_id

XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/

fixed_packages

url	pkg:npm/jose@2.0.7
purl	pkg:npm/jose@2.0.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.7

url	pkg:npm/jose@4.15.5
purl	pkg:npm/jose@4.15.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@4.15.5

url	pkg:npm/jose@5.0.0
purl	pkg:npm/jose@5.0.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@5.0.0

aliases CVE-2024-28176, GHSA-hhhv-q57g-882q

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3e3m-ebuj-1ke6

url VCID-7vsr-f3b9-k3fs

vulnerability_id VCID-7vsr-f3b9-k3fs

summary

Information Exposure Through Discrepancy
jose-browser-runtime is an npm package which provides a number of cryptographic functions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29444

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60611
published_at	2026-06-04T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60659
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29444

reference_url

https://github.com/panva/jose

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose

reference_url

https://www.npmjs.com/package/jose-browser-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-browser-runtime

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29444

reference_id

CVE-2021-29444

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29444

reference_url	https://github.com/advisories/GHSA-94hh-pjjg-rwmr
reference_id	GHSA-94hh-pjjg-rwmr
reference_type
scores
url	https://github.com/advisories/GHSA-94hh-pjjg-rwmr

reference_url

https://github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmr

reference_id

GHSA-94hh-pjjg-rwmr

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmr

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-nmpf-59gu-5bfq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29444, GHSA-94hh-pjjg-rwmr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7vsr-f3b9-k3fs

url VCID-busd-dhkj-z3dn

vulnerability_id VCID-busd-dhkj-z3dn

summary

Information Exposure Through Discrepancy
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29445

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60611
published_at	2026-06-04T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60659
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29445

reference_url

https://github.com/panva/jose

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose

reference_url

https://www.npmjs.com/package/jose-node-esm-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-node-esm-runtime

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29445

reference_id

CVE-2021-29445

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29445

reference_url	https://github.com/advisories/GHSA-4v4g-726h-xvfv
reference_id	GHSA-4v4g-726h-xvfv
reference_type
scores
url	https://github.com/advisories/GHSA-4v4g-726h-xvfv

reference_url

https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv

reference_id

GHSA-4v4g-726h-xvfv

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-nmpf-59gu-5bfq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29445, GHSA-4v4g-726h-xvfv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-busd-dhkj-z3dn

url VCID-nmpf-59gu-5bfq

vulnerability_id VCID-nmpf-59gu-5bfq

summary JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-36083

reference_id

reference_type

scores

value	0.00137
scoring_system	epss
scoring_elements	0.33301
published_at	2026-06-04T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33402
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-36083

reference_url

https://github.com/panva/jose

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose

reference_url

https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d

reference_url

https://github.com/panva/jose/releases/tag/v4.9.2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/releases/tag/v4.9.2

reference_url

https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-36083

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-36083

reference_url

https://github.com/advisories/GHSA-jv3g-j58f-9mq9

reference_id

GHSA-jv3g-j58f-9mq9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jv3g-j58f-9mq9

fixed_packages

url pkg:npm/jose@1.28.2

purl pkg:npm/jose@1.28.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.28.2

url pkg:npm/jose@2.0.6

purl pkg:npm/jose@2.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.6

url pkg:npm/jose@3.20.4

purl pkg:npm/jose@3.20.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.20.4

url pkg:npm/jose@4.9.2

purl pkg:npm/jose@4.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@4.9.2

aliases CVE-2022-36083, GHSA-jv3g-j58f-9mq9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nmpf-59gu-5bfq

url VCID-t9xr-pum6-rfcc

vulnerability_id VCID-t9xr-pum6-rfcc

summary

Information Exposure Through Discrepancy
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29446

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60611
published_at	2026-06-04T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60659
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29446

reference_url

https://github.com/panva/jose

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose

reference_url

https://www.npmjs.com/package/jose-node-cjs-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-node-cjs-runtime

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29446

reference_id

CVE-2021-29446

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29446

reference_url	https://github.com/advisories/GHSA-rvcw-f68w-8h8h
reference_id	GHSA-rvcw-f68w-8h8h
reference_type
scores
url	https://github.com/advisories/GHSA-rvcw-f68w-8h8h

reference_url

https://github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8h

reference_id

GHSA-rvcw-f68w-8h8h

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8h

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3e3m-ebuj-1ke6

vulnerability	VCID-nmpf-59gu-5bfq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29446, GHSA-rvcw-f68w-8h8h

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9xr-pum6-rfcc

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.17.2

Package Instance