CVE-2023-25653— Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)

CVSS 7.5 · High EPSS 0.46% · P64 Updated Mar 11, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-25653

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)

Source: NVD (National Vulnerability Database)

Vulnerability Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

不可达退出条件的循环(无限循环)

Source: NVD (National Vulnerability Database)

Vulnerability Title

jose 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

npm jose是美国npm公司的一个应用软件。使用本机加密运行时不依赖项的JWA，JWS，JWE，JWT，JWK。 jose 2.2.0之前版本存在安全漏洞，该漏洞源于存在拒绝服务(DoS)漏洞。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
cisco	node-jose	< 2.2.0	-

II. Public POCs for CVE-2023-25653

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-25653

请登录查看更多情报信息。

https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhwx_refsource_CONFIRM
https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210dx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-25653

Same Patch Batch · cisco · 2023-02-16 · 9 CVEs total

CVE-2023-20032	9.8 CRITICAL	ClamAV 缓冲区错误漏洞
CVE-2023-20014	7.5 HIGH	Cisco Nexus Dashboard 资源管理错误漏洞
CVE-2023-20009	6.5 MEDIUM	Cisco Secure Email 代码问题漏洞
CVE-2023-20085	6.1 MEDIUM	Cisco Identity Services Engine 跨站脚本漏洞
CVE-2023-20053	6.1 MEDIUM	Cisco Nexus Dashboard 跨站脚本漏洞
CVE-2023-20075	6.0 MEDIUM	Cisco Secure Email 操作系统命令注入漏洞
CVE-2022-20952	5.3 MEDIUM	Cisco Secure Web Appliance 输入验证错误漏洞
CVE-2023-20052	5.3 MEDIUM	ClamAV 安全漏洞

IV. Related Vulnerabilities

Same vendor: cisco

Same weakness: CWE-835

V. Comments for CVE-2023-25653

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-25653— Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)

I. Basic Information for CVE-2023-25653

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-25653

III. Intelligence Information for CVE-2023-25653

Same Patch Batch · cisco · 2023-02-16 · 9 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-25653

Leave a comment