jsonwebtoken uses unrestricted key type. A remote attacker is able to bypass signature verification if the library is misconfigured so that legacy, insecure key types are used for the verification. The user is affected if the library uses an algorithm and a key type other than a combination listed in the GitHub Security Advisory
as unaffected.