CVE-2024-28102: JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
(updated )
An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this Token, it will consume a lot of memory and processing time.
References
- github.com/advisories/GHSA-j857-7rvv-vj97
- github.com/latchset/jwcrypto
- github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
- github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
- lists.debian.org/debian-lts-announce/2024/09/msg00026.html
- nvd.nist.gov/vuln/detail/CVE-2024-28102
- www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
Code Behaviors & Features
Detect and mitigate CVE-2024-28102 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →