CVE-2016-10555
EPSS 81.7%Forgeable Public/Private Tokens in jwt-simple
Published: 11/6/2018Modified: 11/8/2023
Also known as:GHSA-vgrx-w6rg-8fqf
Description
Affected versions of the `jwt-simple` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort. ## Recommendation Update to version 0.3.1 or later. Additionally, be sure to always specify an algorithm in calls to `.decode()`.
Affected packages (1)
- npm/jwt-simplefrom 0, < 0.3.1
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10555
- WEBhttps://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- WEBhttps://github.com/hokaccha/node-jwt-simple/commit/957957cfa44474049b4603b293569588ee9ffd97
- WEBhttps://github.com/hokaccha/node-jwt-simple/pull/14
- WEBhttps://github.com/hokaccha/node-jwt-simple/pull/16
- WEBhttps://www.npmjs.com/advisories/87