0.002 Low
EPSS
Percentile
60.8%
node-jose, nimbus-jose-jwt and jose4j are vulnerable to invalid curve attacks. These attacks are possible when using key agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES), allowing attackers to recover the private secret key.
blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
github.com/cisco/node-jose
github.com/cisco/node-jose/pull/88
nodesecurity.io/advisories/324