CVE-2026-34240— jose vulnerable to untrusted JWK header key acceptance during signature verification

jose vulnerable to untrusted JWK header key acceptance during signature verification

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key. Applications using affected versions for token verification are impacted. This issue has been patched in version 0.3.5+1. A workaround for this issue involves rejecting tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

密码学签名的验证不恰当

jose 数据伪造问题漏洞

jose是Filip Skokan个人开发者的用于 JSON 对象签名和加密的 JavaScript 模块。 JOSE 0.3.5+1之前版本存在数据伪造问题漏洞，该漏洞源于密钥选择可能将JOSE标头中嵌入的jwk视为验证候选，可能导致伪造有效的JWS或JWT令牌。

N/A

N/A