Authorization bypass in express-jwt
Description
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
express-jwtnpm | < 6.0.0 | 6.0.0 |
Affected products
2- Range: <= 5.3.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-6g6m-m6h5-w9gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15084ghsaADVISORY
- github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdefghsax_refsource_MISCWEB
- github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.