Skip to content

Forgeable Public/Private Tokens in jwt-simple

Critical severity GitHub Reviewed Published Nov 6, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm jwt-simple (npm)

Affected versions

< 0.3.1

Patched versions

0.3.1

Description

Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.

Recommendation

Update to version 0.3.1 or later.

Additionally, be sure to always specify an algorithm in calls to .decode().

References

Published to the GitHub Advisory Database Nov 6, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.102%
(43rd percentile)

Weaknesses

CVE ID

CVE-2016-10555

GHSA ID

GHSA-vgrx-w6rg-8fqf

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.