Skip to main content

Mojic CVE-2026-41244

| EUVDEUVD-2026-25610 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-04-24 GitHub_M
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Patch released
Apr 28, 2026 - 21:18 nvd
Patch available
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 20:16 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 19:45 euvd
EUVD-2026-25610
Analysis Generated
Apr 24, 2026 - 19:45 vuln.today
CVE Published
Apr 24, 2026 - 19:11 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.

AnalysisAI

Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. While CVSS score is moderate (4.7), the attack requires user interaction and local access, limiting real-world exploitability.

Technical ContextAI

Mojic's CipherEngine implements HMAC-SHA256 as an integrity seal for decrypted emoji-encoded C code. The vulnerability is rooted in CWE-208 (Observable Timing Discrepancy), a class of attacks where cryptographic operations leak timing information through side-channels. Standard JavaScript equality operators (= and !) perform byte-by-byte comparison with early exit on first mismatch, making execution time proportional to the number of matching bytes in the HMAC. An attacker can measure response times or operation durations to iteratively brute-force valid HMAC values, effectively bypassing the integrity check. Constant-time comparison functions (like crypto.timingSafeEqual() in Node.js) perform all comparisons regardless of input, eliminating this timing leak.

RemediationAI

Upgrade Mojic to version 2.1.4 or later immediately. The patch replaces the standard equality operator with a constant-time comparison function in the CipherEngine's HMAC verification routine, eliminating the timing discrepancy. Users should re-encrypt any previously encrypted files with the patched version to ensure integrity checks are cryptographically sound. Until patching, minimize sharing of encrypted Mojic files across untrusted networks and avoid decrypting files from sources that may have been tampered with. The mitigation has no performance side-effects; constant-time comparison adds negligible latency.

Share

CVE-2026-41244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy