You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Possible denial of service when decrypting JWT/JWE with RSA-OAEP encryption using incorrect public key length
Moderate
babelouest
published
GHSA-wj6h-m4hc-r59mAug 20, 2022
Package
rhonabwy
(C)
Affected versions
>= 0.9.99 && <= 1.1.6
Patched versions
1.1.7
Description
Impact
When using JWE or JWT with RSA-OAEP encryption algorithm, before version 1.1.7, rhonabwy doesn't check private key length before decrypting the token, which can lead to a denial of service with crafted tokens.
Impact
When using JWE or JWT with RSA-OAEP encryption algorithm, before version 1.1.7, rhonabwy doesn't check private key length before decrypting the token, which can lead to a denial of service with crafted tokens.
Patches
Version 1.1.7 is patched
Workarounds
Check that the private key used to decrypt a token is the same size than the one used to encrypt the token before attempting to use it.