jsonwebtoken is vulnerable to incorrect verification of tokens. A remote attacker is able to validate forged tokens via passing a poorly implemented key retrieval function referring to the secretOrPublicKey
argument when the application is supporting both symmetric and asymmetric keys with the same key retrieval function.
CPE | Name | Operator | Version |
---|---|---|---|
jsonwebtoken | le | 7.1.0 | |
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 7.1.0 | |
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 8.5.1 |