CVE-2017-12973 in JOSE+JWT
Summary
by MITRE
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2017-12973 affects the Nimbus JOSE+JWT library version 4.38 and earlier, representing a critical security flaw in cryptographic implementation that enables sophisticated attack vectors. This issue specifically manifests during authenticated AES-CBC decryption operations where the library fails to properly handle invalid HMAC detections, creating a predictable timing or error response pattern that adversaries can exploit. The vulnerability resides in the library's cryptographic processing logic and impacts any application relying on Nimbus JOSE+JWT for JSON Web Token (JWT) operations, particularly those utilizing AES-CBC encryption with HMAC authentication.
The technical root cause of this vulnerability stems from improper error handling during the decryption process when an invalid HMAC is detected. In authenticated encryption modes like AES-CBC with HMAC, the system should immediately terminate the decryption operation upon HMAC validation failure, but the Nimbus library continues processing, potentially revealing information through timing differences or error responses. This behavior creates a padding oracle condition where attackers can systematically test different padding values and observe the library's response patterns to gradually deduce the plaintext content. The flaw aligns with CWE-209, which describes improper handling of error conditions that may reveal sensitive information, and specifically relates to the broader category of padding oracle attacks that have been extensively documented in cryptographic security literature.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to perform full decryption of protected JWT tokens without possessing the encryption keys. This capability allows adversaries to access sensitive user data, session tokens, and authentication credentials that are typically protected by the JWT framework. Attackers can leverage this vulnerability in various scenarios including web application attacks, API exploitation, and session hijacking operations. The vulnerability affects systems where JWT tokens are used for authentication, authorization, and data protection, particularly in enterprise environments where sensitive information is transmitted using these cryptographic protocols. According to ATT&CK framework category T1552, this vulnerability enables credential access through cryptographic key compromise, while T1210 represents the exploitation of vulnerabilities in cryptographic libraries to gain unauthorized access.
Mitigation strategies for CVE-2017-12973 require immediate library version updates to 4.39 or later, where the improper HMAC handling has been corrected. Organizations should conduct comprehensive vulnerability assessments to identify all systems utilizing the affected library version and implement patch management procedures to ensure timely deployment of the security fix. Additionally, security teams should monitor for potential exploitation attempts by analyzing system logs for unusual decryption patterns or repeated authentication failures that might indicate padding oracle attack activity. The fix implemented in version 4.39 addresses the core issue by ensuring proper termination of decryption operations upon HMAC validation failure, eliminating the information leakage that enabled the padding oracle attack. Security architectures should also consider implementing additional layers of protection such as rate limiting, request monitoring, and cryptographic protocol hardening to reduce the attack surface and provide defense-in-depth measures against similar vulnerabilities.