Medium severity6.5NVD Advisory· Published May 31, 2018· Updated Jun 17, 2026
CVE-2016-10555
CVE-2016-10555
Description
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jwt-simplenpm | < 0.3.1 | 0.3.1 |
Affected products
2- HackerOne/jwt-simple node modulev5Range: <=0.3.0
Patches
Vulnerability mechanics
References
9- auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/nvdBroken LinkThird Party Advisory
- github.com/advisories/GHSA-vgrx-w6rg-8fqfghsaADVISORY
- github.com/hokaccha/node-jwt-simple/pull/14nvdIssue TrackingThird Party AdvisoryWEB
- github.com/hokaccha/node-jwt-simple/pull/16nvdIssue TrackingThird Party AdvisoryWEB
- nodesecurity.io/advisories/87nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2016-10555ghsaADVISORY
- auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-librariesghsaWEB
- github.com/hokaccha/node-jwt-simple/commit/957957cfa44474049b4603b293569588ee9ffd97ghsaWEB
- www.npmjs.com/advisories/87ghsaWEB
News mentions
0No linked articles in our index yet.