Lucene search

K

Node-jsonwebtoken Security Vulnerabilities

cve
cve

CVE-2022-23539

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in t...

8.1CVSS

7.8AI Score

0.001EPSS

2022-12-23 12:15 AM
119
cve
cve

CVE-2022-23540

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. Thi...

7.6CVSS

7.3AI Score

0.001EPSS

2022-12-22 07:15 PM
130
cve
cve

CVE-2022-23541

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There...

6.3CVSS

6AI Score

0.001EPSS

2022-12-22 06:15 PM
108
cve
cve

CVE-2015-9235

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS*...

9.8CVSS

9.3AI Score

0.006EPSS

2018-05-29 08:29 PM
31