GoogleOSV:GHSA-QWPH-4952-7XR6jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
0.001 Low
EPSS
Percentile
34.5%
Overview
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Am I affected?
You will be affected if all the following are true in the jwt.verify() function:
- a token with no signature is received
- no algorithms are specified
- a falsy (e.g. null, false, undefined) secret or key is passed
How do I fix it?
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you donβt need to allow for the none algorithm. If you need βnoneβ algorithm, you have to explicitly specify that in jwt.verify() options.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jsonwebtoken | lt | 9.0.0 |
Related
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
0.001 Low
EPSS
Percentile
34.5%