JWT Algorithm Confusion in json-web-token library
Description
joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens (JWT) which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js' file, the algorithm to use for verifying the signature of the JWT token is taken from the JWT token, which at that point is still unverified and thus shouldn't be trusted. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work against this library is the RS256 algorithm is in use, however it is a best practice to use that algorithm.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
json-web-token library is vulnerable to JWT algorithm confusion due to trusting the algorithm from an unverified token header.
The json-web-token JavaScript library is vulnerable to a JWT algorithm confusion attack. The vulnerability resides in line 86 of index.js, where the algorithm used for verifying a JWT token's signature is taken directly from the token's header before the token has been verified [1][2]. This means an attacker can craft a token that specifies a different algorithm than the one the server expects.
To exploit this, an attacker first needs to obtain the server's public RSA key, which can sometimes be recovered by observing multiple JWT tokens or other means. The attacker then creates a new JWT containing the HS256 algorithm in its header, signs it using the public RSA key as the HMAC secret, and presents it to the server. Since the library trusts the algorithm from the token, it will use the provided public key as an HMAC secret to verify the token, which will succeed [1][2].
The impact is that an attacker can forge arbitrary valid JWT tokens, potentially gaining unauthorized access to protected resources or privileges. For example, an attacker could modify the payload to set admin: true and have the server accept the token [2]. The attack is particularly effective when the server uses the RS256 algorithm, which is a common best practice, as the attacker can leverage the public key to sign the HS256 token.
Users of the library should upgrade to a patched version where the verification algorithm is hardcoded and not taken from the token. If no patch is available, a workaround is to ensure the server always validates that the token's algorithm matches an expected, trusted value before signature verification [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-web-tokennpm | <= 3.1.1 | — |
Affected products
1- Range: < 3.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4xw9-cx39-r355ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-48238ghsaADVISORY
- github.com/joaquimserafim/json-web-token/blob/acf6a462471e1b14187eb77414e9161b8b7bff7e/index.jsghsaWEB
- github.com/joaquimserafim/json-web-token/security/advisories/GHSA-4xw9-cx39-r355ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.