Is CVE-2024-28176 actively exploited?

CVE-2024-28176 has no public evidence of in-the-wild exploitation as of 2025-12-05.

What is the CVSS score for CVE-2024-28176?

CVE-2024-28176 has a CVSS score of 4.9 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H.

How do I patch CVE-2024-28176?

Patch guidance is available from jose project security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2024-28176.

CVE-2024-28176 - remediation guidance & executive summary

Q: Which products are affected by CVE-2024-28176?

3 products: jose project jose, jose project jose, fedoraproject fedora.

Description

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector: network
Complexity: low
Privileges: high
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Weaknesses: CWE-400

Metadata

Primary Vendor: JOSE_PROJECT
Published: 3/9/2024
Last Modified: 12/5/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

jose_project : josejose_project : josefedoraproject : fedora

Remediation Guidance

Executive Summary

Cite this page

CVE-2024-28176. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2024-28176

View on NIST NVD

CVE-2024-28176 vulnerability