Summary
The CipherEngine in Mojic v2.1.3 uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.
Details
In lib/CipherEngine.js, the footer check validates the HMAC signature using a standard string comparison:if (footerHex !== calcDigest) { ... }
Standard string comparisons in JavaScript short-circuit; they return false the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the FILE_TAMPERED error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.
PoC
The vulnerable implementation is located in lib/CipherEngine.js, within the getDecryptStream() flush method (approximately line 265):
// Vulnerable Code
if (footerHex !== calcDigest) {
this.emit('error', new Error("FILE_TAMPERED"));
return;
}
Recommended Remediation:
Replace the standard equality operator with Node.js's built-in constant-time comparison utility, crypto.timingSafeEqual().
// Remediated Code
const footerBuffer = Buffer.from(footerHex, 'hex');
const calcBuffer = Buffer.from(calcDigest, 'hex');
if (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {
this.emit('error', new Error("FILE_TAMPERED"));
return;
}
Impact
If successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.
CVE-2026-41244 has a CVSS score of 4.7 (Medium). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.1.4); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-41244? CVE-2026-41244 is a medium-severity security vulnerability in mojic (npm), affecting versions <= 2.1.3. It is fixed in 2.1.4.
- How severe is CVE-2026-41244? CVE-2026-41244 has a CVSS score of 4.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of mojic are affected by CVE-2026-41244? mojic (npm) versions <= 2.1.3 is affected.
- Is there a fix for CVE-2026-41244? Yes. CVE-2026-41244 is fixed in 2.1.4. Upgrade to this version or later.
- Is CVE-2026-41244 exploitable, and should I be worried? Whether CVE-2026-41244 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41244 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41244? Upgrade
mojicto 2.1.4 or later.