MAL-2025-3638 Malicious code in node-jwt-simple (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b327dac41c47c206948d7e146a6174435ee74981c5726827f68050b3692060a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

blind-rsa-signatures (=0.9.0), cyfs-base (>=0.5.0 <=0.6.12) +6 more potentially affected by unknown CVE via rsa-export (>=0.1.2 <=0.3.3)

rsa-export CARGO version =0.1.2, =0.5.0, =0.5.0, =0.2.7, =0.1.2, =0.1.4 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2024-0333...

@amitport/auth-server (=0.0.3), @amitport/koangular-users (=0.0.0) +320 more potentially affected by unknown CVE via jwt-simple (>=0.1.0 <=0.5.1)

jwt-simple NPM version =0.1.0, =1.0.2, =1.1.0, =1.0.1, =1.0.0, =1.0.0, =1.0.0, =0.2.0, =0.10.2, =0.11.2 - @sysdoc/sysdoc-web-stack =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-8V5F-HP78-JGXQ...

Signature Verification Bypass in jwt-simple

Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 symmetric algorithm JWT with the server's public key a...

GHSA-8V5F-HP78-JGXQ Signature Verification Bypass in jwt-simple

Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 symmetric algorithm JWT with the server's public key a...

JWT Signature Verification Bypass

jwt-simple is vulnerable to signature verification bypass. A remote attacker is able to succeed in a JWT verification without specifying an algorithm in the decode function...

Signature Verification Bypass

Overview Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 symmetric algorithm JWT with the server's...

Forgeable Public/Private Tokens in jwt-simple

Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result ...

GHSA-VGRX-W6RG-8FQF Forgeable Public/Private Tokens in jwt-simple

Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result ...

CVE-2016-10555

Since "algorithm" isn't enforced in jwt.decodein jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key...

Code injection

Since "algorithm" isn't enforced in jwt.decodein jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key...

CVE-2016-10555

Since "algorithm" isn't enforced in jwt.decodein jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key...

CVE-2016-10555

The CVE-2016-10555 issue affects the jwt-simple library (Node.js). It arises because jwt.decode() does not strictly enforce the algorithm, allowing a malicious user to choose the JWT verification algorithm. If a server expects RSA but receives an HMAC-SHA with RSA’s public key, the public key cou...

Forgeable Public/Private Tokens

Overview Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the en...