VYPR

npm package

jsonwebtoken

pkg:npm/jsonwebtoken

Vulnerabilities (4)

  • CVE-2022-23539Dec 22, 2022
    affected < 9.0.0fixed 9.0.0

    Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a com

  • CVE-2022-23540Dec 22, 2022
    affected < 9.0.0fixed 9.0.0

    In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `j

  • CVE-2022-23541Dec 22, 2022
    affected < 9.0.0fixed 9.0.0

    jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verific

  • CVE-2015-9235CriMay 29, 2018
    affected < 4.2.2fixed 4.2.2

    In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).