Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/jose@1.13.0

Type npm

Namespace

Name jose

Version 1.13.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.0.7

Latest_non_vulnerable_version 5.0.0

Affected_by_vulnerabilities

url VCID-27wp-xth1-gqa4

vulnerability_id VCID-27wp-xth1-gqa4

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29445

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60724
published_at	2026-06-11T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.6083
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29445

reference_url

https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29445

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29445

reference_url

https://www.npmjs.com/package/jose-node-esm-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-node-esm-runtime

reference_url

https://github.com/advisories/GHSA-4v4g-726h-xvfv

reference_id

GHSA-4v4g-726h-xvfv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4v4g-726h-xvfv

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-qk31-mpfc-ffcz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29445, GHSA-4v4g-726h-xvfv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-27wp-xth1-gqa4

url VCID-9sys-s8ej-kyar

vulnerability_id VCID-9sys-s8ej-kyar

summary

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has 
 been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28176.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28176.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28176

reference_id

reference_type

scores

value	0.00572
scoring_system	epss
scoring_elements	0.6922
published_at	2026-06-12T12:55:00Z

value	0.00572
scoring_system	epss
scoring_elements	0.69128
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28176

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_url

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314

reference_id

02a65794f7873cdaf12e81e80ad076fcdc4a9314

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314

reference_url

https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

reference_id

1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2268820
reference_id	2268820
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2268820

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-28176

reference_id

CVE-2024-28176

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-28176

reference_url

https://github.com/advisories/GHSA-hhhv-q57g-882q

reference_id

GHSA-hhhv-q57g-882q

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hhhv-q57g-882q

reference_url

https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

reference_id

GHSA-hhhv-q57g-882q

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/

reference_id

I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/

reference_id

KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/

reference_url	https://access.redhat.com/errata/RHSA-2024:0041
reference_id	RHSA-2024:0041
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0041

reference_url	https://access.redhat.com/errata/RHSA-2024:0045
reference_id	RHSA-2024:0045
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0045

reference_url	https://access.redhat.com/errata/RHSA-2024:3826
reference_id	RHSA-2024:3826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3826

reference_url	https://access.redhat.com/errata/RHSA-2024:3827
reference_id	RHSA-2024:3827
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3827

reference_url	https://access.redhat.com/errata/RHSA-2024:3968
reference_id	RHSA-2024:3968
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3968

reference_url	https://access.redhat.com/errata/RHSA-2024:4591
reference_id	RHSA-2024:4591
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:4591

reference_url	https://access.redhat.com/errata/RHSA-2024:5094
reference_id	RHSA-2024:5094
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5094

reference_url	https://access.redhat.com/errata/RHSA-2024:5294
reference_id	RHSA-2024:5294
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5294

reference_url	https://access.redhat.com/errata/RHSA-2024:6755
reference_id	RHSA-2024:6755
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6755

reference_url	https://access.redhat.com/errata/RHSA-2024:8676
reference_id	RHSA-2024:8676
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8676

reference_url	https://access.redhat.com/errata/RHSA-2024:9181
reference_id	RHSA-2024:9181
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:9181

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/

reference_id

UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/

reference_id

UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/

reference_id

XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-11T14:26:36Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/

fixed_packages

url	pkg:npm/jose@2.0.7
purl	pkg:npm/jose@2.0.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.7

url	pkg:npm/jose@4.15.5
purl	pkg:npm/jose@4.15.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@4.15.5

url	pkg:npm/jose@5.0.0
purl	pkg:npm/jose@5.0.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/jose@5.0.0

aliases CVE-2024-28176, GHSA-hhhv-q57g-882q

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9sys-s8ej-kyar

url VCID-ey1s-8bzx-mbha

vulnerability_id VCID-ey1s-8bzx-mbha

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29443

reference_id

reference_type

scores

value	0.00316
scoring_system	epss
scoring_elements	0.55124
published_at	2026-06-11T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55245
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29443

reference_url

https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29443

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29443

reference_url

https://www.npmjs.com/package/jose

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose

reference_url

https://github.com/advisories/GHSA-58f5-hfqc-jgch

reference_id

GHSA-58f5-hfqc-jgch

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-58f5-hfqc-jgch

fixed_packages

url pkg:npm/jose@1.28.1

purl pkg:npm/jose@1.28.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27wp-xth1-gqa4

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-k757-auxn-kbgv

vulnerability	VCID-qk31-mpfc-ffcz

vulnerability	VCID-uqqy-7a13-m7cn

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.28.1

url pkg:npm/jose@2.0.5

purl pkg:npm/jose@2.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27wp-xth1-gqa4

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-k757-auxn-kbgv

vulnerability	VCID-qk31-mpfc-ffcz

vulnerability	VCID-uqqy-7a13-m7cn

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.5

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-qk31-mpfc-ffcz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29443, GHSA-58f5-hfqc-jgch

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ey1s-8bzx-mbha

url VCID-k757-auxn-kbgv

vulnerability_id VCID-k757-auxn-kbgv

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29446

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60724
published_at	2026-06-11T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.6083
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29446

reference_url

https://github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8h

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8h

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29446

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29446

reference_url

https://www.npmjs.com/package/jose-node-cjs-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-node-cjs-runtime

reference_url

https://github.com/advisories/GHSA-rvcw-f68w-8h8h

reference_id

GHSA-rvcw-f68w-8h8h

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rvcw-f68w-8h8h

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-qk31-mpfc-ffcz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29446, GHSA-rvcw-f68w-8h8h

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k757-auxn-kbgv

url VCID-qk31-mpfc-ffcz

vulnerability_id VCID-qk31-mpfc-ffcz

summary JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-36083

reference_id

reference_type

scores

value	0.00137
scoring_system	epss
scoring_elements	0.3359
published_at	2026-06-12T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33408
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-36083

reference_url

https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d

reference_id

03d6d013bf6e070e85adfe5731f526978e3e8e4d

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-36083

reference_id

CVE-2022-36083

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-36083

reference_url

https://github.com/advisories/GHSA-jv3g-j58f-9mq9

reference_id

GHSA-jv3g-j58f-9mq9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jv3g-j58f-9mq9

reference_url

https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9

reference_id

GHSA-jv3g-j58f-9mq9

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9

reference_url

https://github.com/panva/jose/releases/tag/v4.9.2

reference_id

v4.9.2

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:38Z/

url

https://github.com/panva/jose/releases/tag/v4.9.2

fixed_packages

url pkg:npm/jose@1.28.2

purl pkg:npm/jose@1.28.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.28.2

url pkg:npm/jose@2.0.6

purl pkg:npm/jose@2.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@2.0.6

url pkg:npm/jose@3.20.4

purl pkg:npm/jose@3.20.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.20.4

url pkg:npm/jose@4.9.2

purl pkg:npm/jose@4.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@4.9.2

aliases CVE-2022-36083, GHSA-jv3g-j58f-9mq9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qk31-mpfc-ffcz

url VCID-uqqy-7a13-m7cn

vulnerability_id VCID-uqqy-7a13-m7cn

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29444

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.60724
published_at	2026-06-11T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.6083
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29444

reference_url

https://github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmr

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmr

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29444

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29444

reference_url

https://www.npmjs.com/package/jose-browser-runtime

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/jose-browser-runtime

reference_url

https://github.com/advisories/GHSA-94hh-pjjg-rwmr

reference_id

GHSA-94hh-pjjg-rwmr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-94hh-pjjg-rwmr

fixed_packages

url pkg:npm/jose@3.11.4

purl pkg:npm/jose@3.11.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9sys-s8ej-kyar

vulnerability	VCID-qk31-mpfc-ffcz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@3.11.4

aliases CVE-2021-29444, GHSA-94hh-pjjg-rwmr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uqqy-7a13-m7cn

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jose@1.13.0

Package Instance