CVE-2023-23928

critical

Description

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

References

Advisories

https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2

https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5

Details

Source: Mitre, NVD

Published: 2023-02-01

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.0013