AIKIDO-2025-10121
joserfc is vulnerable to Use of Insufficiently Random Values
26
Low Risk
This Affects:
joserfcTL;DR
Affected versions of the joserfc library may be vulnerable because they rely on random values that are not generated with sufficient randomness in their RFC 7516 implementation. RFC 7516 specifies the use of authenticated encryption with associated data (AEAD) and requires cryptographically secure random values for key generation, nonces, and other components. If the random values are predictable or not adequately randomized, it could allow attackers to exploit weaknesses in the encryption process, potentially compromising the security of sensitive data. This vulnerability may lead to the exposure of plaintext or unauthorized access to encrypted information, undermining the integrity and confidentiality guarantees provided by the library.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
joserfc is vulnerable to Use of Insufficiently Random Values in versions 0.2.0 - 1.0.3.
How to fix this
Upgrade the joserfc library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant