MEDIUM · CVSS 5.3Disclosed 2024-03-04

CVE-2024-28176 — jose (JWT library) compressed-payload DoS

The `jose` JWT library (used by next-auth and Clerk and others) decompressed JWE tokens without size limits, allowing a compressed-payload DoS.

Affects

jose < 2.0.7
jose < 4.15.5

What an attacker does

The attacker submits a compressed JWE (JSON Web Encryption) with a tiny ciphertext that decompresses to gigabytes (zip bomb variant). The server exhausts memory decompressing.

How to detect

`npm ls jose`.

How to fix

Upgrade `jose` to 4.15.5+ or 2.0.7+. Also: reject JWE tokens you never issue (most apps only need JWS).

How Securie catches it

Securie flags jose in the auth path of your app.

References

GHSA-hhhv-q57g-882q