An Adobe security researcher is recommending that those using JSON Web Encryption to update to the latest version to be secure from a critical vulnerability that was spotted.

Antonio Sanso, senior software engineer at Adobe Research Switzerland, blogged that go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4 libraries with ECDH-ES are vulnerable and need to update to RFC7516 also known as JSON Web Encryption or they could be hit with an Invalid Curve Attack. If this happens an attacker could extract the receiver's private key.

Sanso has reported the issue to the Javascript Object Signing Encryption working group.