CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS
Percentile
38.1%
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify()
function can lead to signature validation bypass due to defaulting to the none
algorithm for signature verification.
You will be affected if all the following are true in the jwt.verify()
function:
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify()
method.
There will be no impact, if you update to version 9.0.0 and you donβt need to allow for the none
algorithm. If you need βnoneβ algorithm, you have to explicitly specify that in jwt.verify()
options.
Vendor | Product | Version | CPE |
---|---|---|---|
* | jsonwebtoken | * | cpe:2.3:a:*:jsonwebtoken:*:*:*:*:*:*:*:* |