Network Security

Adobe researcher spots JSON Web Encryption vulnerability

An Adobe security researcher is recommending that those using JSON Web Encryption to update to the latest version to be secure from a critical vulnerability that was spotted.

Antonio Sanso, senior software engineer at Adobe Research Switzerland, blogged that go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4 libraries with ECDH-ES are vulnerable and need to update to RFC7516 also known as JSON Web Encryption or they could be hit with an Invalid Curve Attack. If this happens an attacker could extract the receiver's private key.

Sanso has reported the issue to the Javascript Object Signing Encryption working group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.