Fluid Attacks Database

Description

Verification Bypass in jsonwebtoken Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

Recommendation

Update to version 4.2.2 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsonwebtoken	>=0 <4.2.2	4.2.2

Aliases

1. CVE-2015-92352. NVD-2015-92353. OSV-2015-92354. GHSA-c7hr-j4mj-j2w65. GCVE-2015-9235

References

1. https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b6872. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries3. https://www.npmjs.com/advisories/174. https://www.timmclean.net/2015/02/25/jwt-alg-none.html5. https://github.com/aalex954/jwt-key-confusion-poc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.