[Security] Bump jose from 4.13.1 to 4.15.5
Bumps jose from 4.13.1 to 4.15.5. This update includes a security fix.
Vulnerabilities fixed
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.
Note that as per RFC 8725 compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of
joseremoved support for compressed payloads entirely and is therefore NOT affected by this advisory.Impact
Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.
Affected users
The impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.
You are NOT affected if any of the following applies to you
- Your code uses jose version v5.x where JWE Compression is not supported anymore
- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box
- Your code does not use the JWE decryption APIs
- Your code only accepts JWEs produced by trusted sources
Patches
... (truncated)
Patched versions: 4.15.5 Affected versions: >= 3.0.0, <= 4.15.4
Release notes
Sourced from jose's releases.
v4.15.5
Fixes
- add a maxOutputLength option to zlib inflate (1b91d88), fixes CVE-2024-28176
v4.15.4
Fixes
v4.15.3
This release contains only Node.js CITGM related test updates.
Fixes nodejs/citgm#1011
v4.15.2
Fixes
- build: add a node target for jose-browser-runtime releases (abb63d0)
v4.15.1
Fixes
- resolve missing types for the cryptoRuntime const (1627965)
v4.15.0
Features
- export the used crypto runtime as a constant (0681dda)
v4.14.6
Fixes
v4.14.5
Refactor
- catch type error when decoding base64url signature (#569) (935e920)
- catch type errors when decoding various base64url strings (9024e87)
v4.14.4
Refactor
- cleanup NODE-ED25519 workerd workarounds (072e83d)
v4.14.3
Reverts
... (truncated)
Changelog
Sourced from jose's changelog.
4.15.5 (2024-03-07)
Fixes
- add a maxOutputLength option to zlib inflate (1b91d88)
4.15.4 (2023-10-14)
Fixes
4.15.3 (2023-10-11)
4.15.2 (2023-10-04)
Fixes
- build: add a node target for jose-browser-runtime releases (abb63d0)
4.15.1 (2023-10-02)
Fixes
- resolve missing types for the cryptoRuntime const (1627965)
4.15.0 (2023-10-02)
Features
- export the used crypto runtime as a constant (0681dda)
4.14.6 (2023-09-04)
Fixes
4.14.5 (2023-09-02)
Refactor
... (truncated)
Commits
-
765aafdchore(release): 4.15.5 -
b36e45etest: add export check to x509 pem import tests -
e839ecbtest: stop testing JWE RSA1_5 Algorithm -
1b91d88fix: add a maxOutputLength option to zlib inflate -
9ca2b24build: remove release action -
f3035d8chore: cleanup after release -
f0bb220chore(release): 4.15.4 -
6f38554chore: bump dev deps -
936c9dffix(types): export GetKeyFunction (#592) -
5ac6619chore: bump dev deps - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebasewill rebase this MR -
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts