Skip to main content

Mojic

1 CVEs product

Monthly

CVE-2026-41244 npm MEDIUM PATCH This Month

Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. While CVSS score is moderate (4.7), the attack requires user interaction and local access, limiting real-world exploitability.

Authentication Bypass Mojic
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. While CVSS score is moderate (4.7), the attack requires user interaction and local access, limiting real-world exploitability.

Authentication Bypass Mojic
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy