Vulnerability-Lookup

CVE-2026-41244 (GCVE-0-2026-41244)

Vulnerability from cvelistv5 – Published: 2026-04-24 19:11 – Updated: 2026-04-24 19:59

Title

Mojic: Observable Timing Discrepancy in HMAC Verification

Summary

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.

Severity

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/notamitgamer/mojic/security/ad…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
notamitgamer	mojic	Affected: < 2.1.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41244",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T19:59:29.940685Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T19:59:59.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mojic",
          "vendor": "notamitgamer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T19:11:54.892Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
        }
      ],
      "source": {
        "advisory": "GHSA-wqq3-wfmp-v85g",
        "discovery": "UNKNOWN"
      },
      "title": "Mojic: Observable Timing Discrepancy in HMAC Verification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41244",
    "datePublished": "2026-04-24T19:11:54.892Z",
    "dateReserved": "2026-04-18T03:47:03.135Z",
    "dateUpdated": "2026-04-24T19:59:59.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41244",
      "date": "2026-06-03",
      "epss": "0.00015",
      "percentile": "0.03058"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41244\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-24T20:16:26.957\",\"lastModified\":\"2026-04-28T21:18:07.827\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]}],\"references\":[{\"url\":\"https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41244\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-24T19:59:29.940685Z\"}}}], \"references\": [{\"url\": \"https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-24T19:59:56.082Z\"}}], \"cna\": {\"title\": \"Mojic: Observable Timing Discrepancy in HMAC Verification\", \"source\": {\"advisory\": \"GHSA-wqq3-wfmp-v85g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"notamitgamer\", \"product\": \"mojic\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.4\"}]}], \"references\": [{\"url\": \"https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g\", \"name\": \"https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-24T19:11:54.892Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41244\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-24T19:59:59.355Z\", \"dateReserved\": \"2026-04-18T03:47:03.135Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-24T19:11:54.892Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41244

Vulnerability from fkie_nvd - Published: 2026-04-24 20:16 - Updated: 2026-04-28 21:18

Severity

4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4."
    }
  ],
  "id": "CVE-2026-41244",
  "lastModified": "2026-04-28T21:18:07.827",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-24T20:16:26.957",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-208"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-WQQ3-WFMP-V85G

Vulnerability from github – Published: 2026-04-16 21:10 – Updated: 2026-04-27 16:08

Summary

Mojic: Observable Timing Discrepancy in HMAC Verification

Details

Summary

The CipherEngine in Mojic v2.1.3 uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.

Details

In lib/CipherEngine.js, the footer check validates the HMAC signature using a standard string comparison: if (footerHex !== calcDigest) { ... }

Standard string comparisons in JavaScript short-circuit; they return false the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the FILE_TAMPERED error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.

PoC

The vulnerable implementation is located in lib/CipherEngine.js, within the getDecryptStream() flush method (approximately line 265):

// Vulnerable Code
if (footerHex !== calcDigest) {
    this.emit('error', new Error("FILE_TAMPERED"));
    return;
}

Recommended Remediation:

Replace the standard equality operator with Node.js's built-in constant-time comparison utility, crypto.timingSafeEqual().

// Remediated Code
const footerBuffer = Buffer.from(footerHex, 'hex');
const calcBuffer = Buffer.from(calcDigest, 'hex');

if (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {
    this.emit('error', new Error("FILE_TAMPERED"));
    return;
}

Impact

If successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.

Severity

4.7 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mojic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:10:17Z",
    "nvd_published_at": "2026-04-24T20:16:26Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `CipherEngine` in Mojic v2.1.3 uses a standard equality operator (`!==`) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.\n\n### Details\nIn `lib/CipherEngine.js`, the footer check validates the HMAC signature using a standard string comparison:\n`if (footerHex !== calcDigest) { ... }`\n\nStandard string comparisons in JavaScript short-circuit; they return `false` the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the `FILE_TAMPERED` error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.\n\n### PoC\nThe vulnerable implementation is located in `lib/CipherEngine.js`, within the `getDecryptStream()` flush method (approximately line 265):\n\n```javascript\n// Vulnerable Code\nif (footerHex !== calcDigest) {\n    this.emit(\u0027error\u0027, new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Recommended Remediation:\nReplace the standard equality operator with Node.js\u0027s built-in constant-time comparison utility, crypto.timingSafeEqual().\n\n```JavaScript\n// Remediated Code\nconst footerBuffer = Buffer.from(footerHex, \u0027hex\u0027);\nconst calcBuffer = Buffer.from(calcDigest, \u0027hex\u0027);\n\nif (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {\n    this.emit(\u0027error\u0027, new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Impact\nIf successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.",
  "id": "GHSA-wqq3-wfmp-v85g",
  "modified": "2026-04-27T16:08:33Z",
  "published": "2026-04-16T21:10:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41244"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/notamitgamer/mojic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mojic: Observable Timing Discrepancy in HMAC Verification"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41244 (GCVE-0-2026-41244)

FKIE_CVE-2026-41244

GHSA-WQQ3-WFMP-V85G

Summary

Details

PoC

Recommended Remediation:

Impact

Tags

Sightings

Nomenclature