CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-595C-MC93-MP4P
Vulnerability from github – Published: 2025-07-30 18:31 – Updated: 2025-07-30 18:31A flaw exists within the Linux kernel's handling of new TCP connections. The issue results from the lack of memory release after its effective lifetime. This vulnerability allows an unauthenticated attacker to create a denial of service condition on the system.
{
"affected": [],
"aliases": [
"CVE-2023-2593"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T16:15:25Z",
"severity": "MODERATE"
},
"details": "A flaw exists within the Linux kernel\u0027s handling of new TCP connections. The issue results from the lack of memory release after its effective lifetime. This vulnerability allows an unauthenticated attacker to create a denial of service condition on the system.",
"id": "GHSA-595c-mc93-mp4p",
"modified": "2025-07-30T18:31:35Z",
"published": "2025-07-30T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2593"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-2593"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384787"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/CAH2r5msyEy20e=FBx6wPWWc3kXzNR4b+zHshSqidRdFKVf_7Jg@mail.gmail.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59G9-7GFX-C72P
Vulnerability from github – Published: 2021-09-20 20:45 – Updated: 2021-10-18 14:52Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41079"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-17T18:01:45Z",
"nvd_published_at": "2021-09-16T15:15:00Z",
"severity": "HIGH"
},
"details": "Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.",
"id": "GHSA-59g9-7gfx-c72p",
"modified": "2021-10-18T14:52:03Z",
"published": "2021-09-20T20:45:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41079"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/34115fb3c83f6cd97772232316a492a4cc5729e0"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211008-0005"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Infinite loop in Tomcat due to parsing error"
}
GHSA-59P2-V62X-GXJ8
Vulnerability from github – Published: 2024-05-05 03:30 – Updated: 2024-07-03 20:14OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via length=0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ryu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34489"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-06T14:33:14Z",
"nvd_published_at": "2024-05-05T03:15:07Z",
"severity": "HIGH"
},
"details": "`OFPHello` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `length=0`.",
"id": "GHSA-59p2-v62x-gxj8",
"modified": "2024-07-03T20:14:20Z",
"published": "2024-05-05T03:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34489"
},
{
"type": "WEB",
"url": "https://github.com/faucetsdn/ryu/issues/195"
},
{
"type": "PACKAGE",
"url": "https://github.com/faucetsdn/ryu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ryu Infinite Loop vulnerability"
}
GHSA-59WX-RWXR-9VQ7
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 15:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum value of remote_mps derived from the RFC max_pdu_size option. A zero value propagates to l2cap_segment_sdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory.
Fix the double-init by skipping l2cap_ertm_init() and l2cap_chan_ready() when the channel is already in BT_CONNECTED state, while still allowing the reconfiguration parameters to be updated through l2cap_parse_conf_req(). Also add a pdu_len zero check in l2cap_segment_sdu() as a safeguard.
{
"affected": [],
"aliases": [
"CVE-2026-31498"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan-\u003esdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.",
"id": "GHSA-59wx-rwxr-9vq7",
"modified": "2026-04-28T15:30:47Z",
"published": "2026-04-22T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31498"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5C7W-V73J-6CR4
Vulnerability from github – Published: 2024-03-25 12:30 – Updated: 2025-03-13 21:31In the Linux kernel, the following vulnerability has been resolved:
net: dsa: fix a crash if ->get_sset_count() fails
If ds->ops->get_sset_count() fails then it "count" is a negative error code such as -EOPNOTSUPP. Because "i" is an unsigned int, the negative error code is type promoted to a very high value and the loop will corrupt memory until the system crashes.
Fix this by checking for error codes and changing the type of "i" to just int.
{
"affected": [],
"aliases": [
"CVE-2021-47159"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T10:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix a crash if -\u003eget_sset_count() fails\n\nIf ds-\u003eops-\u003eget_sset_count() fails then it \"count\" is a negative error\ncode such as -EOPNOTSUPP. Because \"i\" is an unsigned int, the negative\nerror code is type promoted to a very high value and the loop will\ncorrupt memory until the system crashes.\n\nFix this by checking for error codes and changing the type of \"i\" to\njust int.",
"id": "GHSA-5c7w-v73j-6cr4",
"modified": "2025-03-13T21:31:01Z",
"published": "2024-03-25T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47159"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f2cb08c57edefb0e7b5045e0e3e9980a3d3aa37"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b22466648a4f8e3e94f57ca428d1531866d1373"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a269333fa5c0c8e53c92b5a28a6076a28cde3e83"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/caff86f85512b8e0d9830e8b8b0dfe13c68ce5b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce5355f140a7987011388c7e30c4f8fbe180d3e8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5F5P-267H-86W3
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-6523"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:39Z",
"severity": "MODERATE"
},
"details": "GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-5f5p-267h-86w3",
"modified": "2026-04-30T09:30:24Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6523"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21177"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-38.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5F8V-5QR6-FHHP
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure
When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership.
However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop.
Fix by deferring del_bulk_move to the success path only.
On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
{
"affected": [],
"aliases": [
"CVE-2026-52965"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure\n\nWhen ttm_tt_swapout() fails, the current code calls\nttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail()\nto restore the resource\u0027s bulk_move membership.\n\nHowever, ttm_resource_move_to_lru_tail() places the resource at the tail\nof the LRU list which, relative to the walk cursor\u0027s hitch node (placed\nimmediately after the resource when it was yielded), puts the resource\n*in front of the* the hitch. The next list_for_each_entry_continue() from\nthe hitch finds the same resource again, causing an infinite loop.\n\nFix by deferring del_bulk_move to the success path only.\n\nOn the success path, TTM_TT_FLAG_SWAPPED has just been set by\nttm_tt_swapout() but the resource is still tracked in the bulk_move range,\nso ttm_resource_del_bulk_move()\u0027s !ttm_resource_unevictable() guard would\nincorrectly skip the removal. Introduce\nttm_resource_del_bulk_move_unevictable() which bypasses that guard.",
"id": "GHSA-5f8v-5qr6-fhhp",
"modified": "2026-07-14T21:31:26Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52965"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0124a09e3e5f5f6080efe9663b27af27933f8382"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2ed01e7ad3de80333e9b962a44024b094bc0b2b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GMM-5672-7W8F
Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-10 00:00A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.dll may go into an infinite loop when unpacking PE files. It is possible that this can crash the scanning engine.
{
"affected": [],
"aliases": [
"CVE-2022-28884"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-06T18:15:00Z",
"severity": "HIGH"
},
"details": "A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.dll may go into an infinite loop when unpacking PE files. It is possible that this can crash the scanning engine.",
"id": "GHSA-5gmm-5672-7w8f",
"modified": "2022-09-10T00:00:30Z",
"published": "2022-09-07T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28884"
},
{
"type": "WEB",
"url": "https://www.withsecure.com/en/expertise/people"
},
{
"type": "WEB",
"url": "https://www.withsecure.com/en/support/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GWR-VQFX-WJ2M
Vulnerability from github – Published: 2025-12-03 09:31 – Updated: 2025-12-03 09:31MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2025-13946"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T08:15:48Z",
"severity": "MODERATE"
},
"details": "MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service",
"id": "GHSA-5gwr-vqfx-wj2m",
"modified": "2025-12-03T09:31:12Z",
"published": "2025-12-03T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13946"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/20884"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2025-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H4J-QRVG-9XHW
Vulnerability from github – Published: 2023-02-16 18:44 – Updated: 2023-02-16 21:52Description
When using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input.
Technical summary
The JOSE logic implemented by node-jose usually relies on an external cryptographic library for the underlying cryptographic primitives that JOSE operations require. When WebCrypto or the Node crypto module are available, they are used. When neither of these libraries is available, node-jose includes its own "fallback" implementations of some algorithms based on node-forge, in particular implementations of ECDH and ECDSA.
A various points, these algorithm implementations need to compute to the X coordinate of an elliptic curve point. This is done by calling the getX() method of the object representing the point, which is an alias of the function pointFpGetX() in lib/deps/ecc/math.js.
Computing the X coordinate from the form in which the point is stored requires computing the modular inverse of the Z coordinate, using the modInverse function from the jsbn library (e.g., this.z.modInverse(this.curve.p)). The output of this function call is multiplied by another value before being reduced with the barrettReduce() function.
The root cause of this issue is that the jsbn modInverse function sometimes returns negative results. These results are correct in that they are equivalent mod the relevant modulus, but can be problematic for functions that expect modular operations to always return positive results (in the range [0, p), where p is the modulus).
In particular, while the Barrett reduction algorithm in general can handle negative inputs, the implementation in node-jose explicitly does not. Therefore, while the negative value that is returned by modInverse() is mathematically correct, it leads to an error in barrettReduce() causing an infinite loop which may result in a Denial of Service condition.
For a given prime modulus, we estimate that roughly one in every 2^20 inputs produce a negative modInverse(). This estimate was validated with exhaustive testing on small primes (<30 bits) and randomized testing with regard to the P-256 prime.
Impact
This issue is only present in situations where the "fallback" cryptographic implementation is being used, i.e., situations where neither WebCrypto nor the Node crypto module is available.
The following elliptic curve algorithms are impacted by this issue (all in lib/deps/ecc/index.js):
- Elliptic curve key generation (
exports.generateKeyPair) - Converting an elliptic curve private key to a public key (
ECPrivateKey.prototype.toPublicKey) - ECDSA signing (
ECPrivateKey.prototype.sign) - ECDSA verification (
ECPublicKey.prototype.verify) - ECDH key agreement (
ECPrivateKey.prototype.computeSecret)
In the first three cases, the points being evaluated are generated randomly, so an attack could only arise due to a bad value being randomly selected (as noted above, with probability roughly 2^{-20}). In the latter two cases, the points being evaluated are provided from outside the library, and thus potentially by attackers.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node crypto module is available in the JS environment where node-jose is being run.
References
For more information
If you have any questions or comments about this advisory: * Open an issue in cisco/node-jose * Email Cisco open source security
Credits
- Research and disclosure: BlackBerry
- Fix implementation: Richard Barnes (@bifurcation)
- Release engineering: Stephen Augustus (@justaugustus)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-jose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25653"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-16T18:44:47Z",
"nvd_published_at": "2023-02-16T19:15:00Z",
"severity": "HIGH"
},
"details": "### Description\n\nWhen using the non-default \"fallback\" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input.\n\n#### Technical summary\n\nThe JOSE logic implemented by `node-jose` usually relies on an external cryptographic library for the underlying cryptographic primitives that JOSE operations require. When WebCrypto or the Node `crypto` module are available, they are used. When neither of these libraries is available, `node-jose` includes its own \"fallback\" implementations of some algorithms based on `node-forge`, in particular implementations of ECDH and ECDSA. \n\nA various points, these algorithm implementations need to compute to the X coordinate of an elliptic curve point. This is done by calling the `getX()` method of the object representing the point, which is an alias of the function `pointFpGetX()` in `lib/deps/ecc/math.js`.\n\nComputing the X coordinate from the form in which the point is stored requires computing the modular inverse of the Z coordinate, using the `modInverse` function from the `jsbn` library (e.g., `this.z.modInverse(this.curve.p)`). The output of this function call is multiplied by another value before being reduced with the `barrettReduce()` function.\n\nThe root cause of this issue is that the `jsbn` `modInverse` function sometimes returns negative results. These results are correct in that they are equivalent mod the relevant modulus, but can be problematic for functions that expect modular operations to always return positive results (in the range `[0, p)`, where `p` is the modulus).\n\nIn particular, while the Barrett reduction algorithm in general can handle negative inputs, the implementation in `node-jose` explicitly does not. Therefore, while the negative value that is returned by `modInverse()` is mathematically correct, it leads to an error in `barrettReduce()` causing an infinite loop which may result in a Denial of Service condition.\n\nFor a given prime modulus, we estimate that roughly one in every `2^20` inputs produce a negative `modInverse()`. This estimate was validated with exhaustive testing on small primes (\u003c30 bits) and randomized testing with regard to the P-256 prime.\n\n### Impact\n\nThis issue is only present in situations where the \"fallback\" cryptographic implementation is being used, i.e., situations where neither WebCrypto nor the Node `crypto` module is available.\n\nThe following elliptic curve algorithms are impacted by this issue (all in `lib/deps/ecc/index.js`):\n\n- Elliptic curve key generation (`exports.generateKeyPair`)\n- Converting an elliptic curve private key to a public key (`ECPrivateKey.prototype.toPublicKey`)\n- ECDSA signing (`ECPrivateKey.prototype.sign`)\n- ECDSA verification (`ECPublicKey.prototype.verify`)\n- ECDH key agreement (`ECPrivateKey.prototype.computeSecret`)\n\nIn the first three cases, the points being evaluated are generated randomly, so an attack could only arise due to a bad value being randomly selected (as noted above, with probability roughly `2^{-20}`). In the latter two cases, the points being evaluated are provided from outside the library, and thus potentially by attackers.\n\n### Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nSince this issue is only present in the \"fallback\" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.\n\n### References\n\n- [Barrett reduction on Wikipedia](https://en.wikipedia.org/wiki/Barrett_reduction)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [cisco/node-jose](https://github.com/cisco/node-jose/issues)\n* Email [Cisco open source security](mailto:oss-security@cisco.com)\n\n### Credits\n\n- Research and disclosure: BlackBerry\n- Fix implementation: [Richard Barnes (@bifurcation)](https://github.com/bifurcation)\n- Release engineering: [Stephen Augustus (@justaugustus)](https://github.com/justaugustus)\n",
"id": "GHSA-5h4j-qrvg-9xhw",
"modified": "2023-02-16T21:52:40Z",
"published": "2023-02-16T18:44:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25653"
},
{
"type": "WEB",
"url": "https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d"
},
{
"type": "PACKAGE",
"url": "https://github.com/cisco/node-jose"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.