VYPR

node-jsonwebtoken

by Auth0

Source repositories

CVEs (3)

  • CVE-2022-23539Dec 22, 2022
    risk 0.00cvss epss 0.00

    Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a…

  • CVE-2022-23540Dec 22, 2022
    risk 0.00cvss epss 0.01

    In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the…

  • CVE-2022-23541Dec 22, 2022
    risk 0.00cvss epss 0.01

    jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect…