5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29445

GHSA ID

GHSA-4v4g-726h-xvfv

EPSS Score

0.59538%

CWE

CWE-203

Published

4/19/2021

Updated

3/17/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29445

CVE-2021-29445: Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4.

Users should upgrade to ^3.11.4.

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29445

GHSA ID

GHSA-4v4g-726h-xvfv

EPSS Score

0.59538%

CWE

CWE-203

Published

4/19/2021

Updated

3/17/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jose-node-esm-runtime	npm	< 3.11.4	3.11.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect execution order in AES_CBC_HMAC_SHA2 decryption. The advisory explicitly states HMAC verification and CBC decryption were both always executed, with the timing discrepancy between padding errors (CBC-related) and HMAC failures creating the oracle. The standard JWE decryption flow for these algorithms would be implemented in a function handling both operations, likely named something like hybridDecrypt in AES-CBC-HMAC context. The high confidence comes from: 1) The vulnerability description matches the function's responsibility 2) The patch specifically changes operation order 3) This aligns with JWE specification implementation patterns in JOSE libraries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t [**S_***_*M**_S*** *l*orit*m](*ttps://tools.i*t*.or*/*tml/r******#s**tion-*.*) (*******-*S***, *******-*S***, *******-*S***) ***ryption woul* *lw*ys *x**ut* *ot* *M** t** v*ri*i**tion *n* *** ***ryption, i* *it**r **il** `JW****ryption**i

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *x**ution or**r in **S_***_*M**_S*** ***ryption. T** **visory *xpli*itly st*t*s *M** v*ri*i**tion *n* *** ***ryption w*r* *ot* *lw*ys *x**ut**, wit* t** timin* *is*r*p*n*y **tw**n p***in* *rrors (***-r*l*t**) *n

5.9

Basic Information

Concerned about an active attack path?

CVE-2021-29445: Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime

Impact

Patches

Credits

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI