Created
July 30, 2025 01:49
-
-
Save ZupeiNie/705a606fbb99f3bb8c9b51e5bc13c91d to your computer and use it in GitHub Desktop.
jose < v6.0.10 was discovered to contain weak encryption.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE: CVE-2025-45767 | |
| Description: | |
| we found that the HMAC and RSA key lengths used in your JSON Web Signature (JWS) implementation do not meet recommended security standards(RFC 7518、NIST SP800-117、RFC 2437). According to CWE-326 (Inadequate Encryption Strength), using keys that are too short can lead to serious vulnerabilities and potential attacks. | |
| Affected versions: <= v6.0.10 | |
| Reference: https://github.com/panva/jose/security/advisories/GHSA-mwmr-4mj7-4hv7 |
@panva I agree with your remarks.
When this post initially appeared I was a little alarmed since the advisory is not public. Can it be made public but closed?
There is no need to be alarmed which is why I opened panva/jose#813 while also disputing the CVE.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See panva/jose#813