{"id":106341,"name":"jose","ecosystem":"pub","description":"Javascript Object Signing and Encryption (JOSE) library supporting JWE, JWS, JWK and JWT","homepage":"https://github.com/appsup-dart/jose","licenses":"bsd-3-clause","normalized_licenses":["BSD-3-Clause"],"repository_url":"https://github.com/appsup-dart/jose","keywords_array":[],"namespace":null,"versions_count":20,"first_release_published_at":"2018-11-04T10:25:58.063Z","latest_release_published_at":"2026-03-27T09:45:13.537Z","latest_release_number":"0.3.5+1","last_synced_at":"2026-04-07T01:11:08.170Z","created_at":"2022-04-05T12:55:43.551Z","updated_at":"2026-04-08T00:10:40.812Z","registry_url":"https://pub.dev/packages/jose","install_command":"dart pub add jose","documentation_url":"https://pub.dev/documentation/jose/","metadata":{},"repo_metadata":{"id":33654214,"uuid":"155909736","full_name":"appsup-dart/jose","owner":"appsup-dart","description":"Javascript Object Signing and Encryption (JOSE) library","archived":false,"fork":false,"pushed_at":"2026-03-27T09:44:56.000Z","size":114,"stargazers_count":56,"open_issues_count":1,"forks_count":44,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-04-04T19:22:58.800Z","etag":null,"topics":["aes","cryptography","encryption","jose","jwt","rsa"],"latest_commit_sha":null,"homepage":"","language":"Dart","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/appsup-dart.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-02T18:58:48.000Z","updated_at":"2026-03-27T09:44:59.000Z","dependencies_parsed_at":"2024-06-18T18:42:54.010Z","dependency_job_id":null,"html_url":"https://github.com/appsup-dart/jose","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/appsup-dart/jose","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appsup-dart","download_url":"https://codeload.github.com/appsup-dart/jose/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31446890,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T15:22:31.103Z","status":"ssl_error","status_checked_at":"2026-04-05T15:22:00.205Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"appsup-dart","name":"appsup-dart","uuid":"13135837","kind":"organization","description":null,"email":null,"website":null,"location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/13135837?v=4","repositories_count":35,"last_synced_at":"2025-04-06T08:34:32.112Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/appsup-dart","funding_links":[],"total_stars":403,"followers":6,"following":0,"created_at":"2022-11-08T05:57:12.828Z","updated_at":"2025-04-06T08:34:32.112Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appsup-dart","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appsup-dart/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-04-07T01:11:06.781Z","dependent_packages_count":45,"downloads":null,"downloads_period":null,"dependent_repos_count":187,"rankings":{"downloads":null,"dependent_repos_count":1.884410783518168,"dependent_packages_count":0.6514290866468307,"stargazers_count":8.666937156252818,"forks_count":7.1724821927689115,"docker_downloads_count":null,"average":4.593814804796682},"purl":"pkg:pub/jose","advisories":[{"uuid":"GSA_kwCzR0hTQS12bTlyLWg3NHAtaGc5N84ABUg-","url":"https://github.com/advisories/GHSA-vm9r-h74p-hg97","title":"jose vulnerable to untrusted JWK header key acceptance during signature verification","description":"### Impact\n\nA vulnerability in `jose` versions up to and including `0.3.5` could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (`jwk`).  \n\nThe vulnerability exists because key selection could treat header-provided `jwk` as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key.  \n\nApplications using affected versions for token verification are impacted.\n\n### Patches\n\nUpgrade to `0.3.5+1` or later.\n\n### Workarounds\n\nReject tokens where header `jwk` is present unless that `jwk` matches a key already present in the application's trusted key store.\n\n### Resources\n\nFix commit: [fix: improved key resolution in JsonWebKeyStore](https://github.com/appsup-dart/jose/commit/b07799aac1f56a9a21483feac026272aab30cc5d)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-31T23:09:16.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","references":["https://github.com/appsup-dart/jose/security/advisories/GHSA-vm9r-h74p-hg97","https://nvd.nist.gov/vuln/detail/CVE-2026-34240","https://github.com/appsup-dart/jose/commit/b07799aac1f56a9a21483feac026272aab30cc5d","https://github.com/advisories/GHSA-vm9r-h74p-hg97"],"source_kind":"github","identifiers":["GHSA-vm9r-h74p-hg97","CVE-2026-34240"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-01T00:00:09.802Z","updated_at":"2026-04-07T23:00:19.081Z","epss_percentage":0.0001,"epss_percentile":0.01047,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bTlyLWg3NHAtaGc5N84ABUg-","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12bTlyLWg3NHAtaGc5N84ABUg-","packages":[{"ecosystem":"pub","package_name":"jose","versions":[{"first_patched_version":"0.3.5+1","vulnerable_version_range":"\u003c= 0.3.5"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bTlyLWg3NHAtaGc5N84ABUg-/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/pub/jose","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/pub/jose","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/pub/jose/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-04-04T18:15:27.295Z","issues_count":44,"pull_requests_count":19,"avg_time_to_close_issue":16978671.465116277,"avg_time_to_close_pull_request":11281588.388888888,"issues_closed_count":43,"pull_requests_closed_count":18,"pull_request_authors_count":13,"issue_authors_count":40,"avg_comments_per_issue":1.7272727272727273,"avg_comments_per_pull_request":0.7894736842105263,"merged_pull_requests_count":11,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":1,"past_year_pull_requests_count":1,"past_year_avg_time_to_close_issue":14740384.0,"past_year_avg_time_to_close_pull_request":12499410.0,"past_year_issues_closed_count":1,"past_year_pull_requests_closed_count":1,"past_year_pull_request_authors_count":1,"past_year_issue_authors_count":1,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.0,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":1,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/appsup-dart%2Fjose/issues","maintainers":[],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/pub.dev/packages/jose/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/pub.dev/packages/jose/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pub.dev/packages/jose/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pub.dev/packages/jose/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/pub.dev/packages/jose/codemeta","maintainers":[]}