Skip to content

Verification Bypass in jsonwebtoken

Critical severity GitHub Reviewed Published Oct 9, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm jsonwebtoken (npm)

Affected versions

< 4.2.2

Patched versions

4.2.2

Description

Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

Recommendation

Update to version 4.2.2 or later.

References

Published to the GitHub Advisory Database Oct 9, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.684%
(80th percentile)

Weaknesses

CVE ID

CVE-2015-9235

GHSA ID

GHSA-c7hr-j4mj-j2w6

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.