VYPR

npm package

jwt-simple

pkg:npm/jwt-simple

Vulnerabilities (1)

  • CVE-2016-10555MedMay 31, 2018
    affected < 0.3.1fixed 0.3.1

    Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an