VYPR
Medium severity6.5NVD Advisory· Published May 31, 2018· Updated Jun 17, 2026

CVE-2016-10555

CVE-2016-10555

Description

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jwt-simplenpm
< 0.3.10.3.1

Affected products

2
  • ghsa-coords
    Range: < 0.3.1
  • HackerOne/jwt-simple node modulev5
    Range: <=0.3.0

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.