Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway

Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an...

EUVD-2022-5902

Malicious code in bioql PyPI...

EUVD-2025-30790

Malicious code in bioql PyPI...

EUVD-2024-0395

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-59420

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib's JWS verification accepts tokens that declare unknow...

CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to the improper handling of JWS signature verification. An attacker can bypass security checks and authenticate using a specially crafted JWS without valid credentials. Note: CVE-2025-4658 i...

CVE-2024-21664

A null pointer dereference vulnerability was found in the jwx/jws Go module. This issue arises when invoking "jws.Parse" with a JSON serialized payload containing a present signature field while the protected field is absentm, which may cause a system crash or initiate a denial of service DOS...

Null pointer dereference

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

Parsing JSON serialized payload without protected field can lead to segfault

Summary Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. Details This seems to also affect other functions that calls Parse internally, like jws.Verify. My understanding of these functions from t...