Fluid Attacks Database

Description

Forgeable Public/Private Tokens in jws Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.

Recommendation

Update to version 3.0.0 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jws	>=0 <3.0.0	3.0.0

Aliases

1. CVE-2016-10002232. NVD-2016-10002233. OSV-2016-10002234. GCVE-2016-1000223

References

1. https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e2. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries3. https://www.npmjs.com/advisories/88

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.