jsonwebtoken

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting jsonwebtokenpage 1 of 1

CVE-2015-9235CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.2.2
2018-05-29
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a …
CVE-2022-23539MEDIUMCVSS 5.9EG 5.9✓ Fixed in 9.0.0
2022-12-23
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an …
CVE-2022-23540MEDIUMCVSS 6.4EG 6.4✓ Fixed in 9.0.0
2022-12-22
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected i…
CVE-2022-23541MEDIUMCVSS 5.0EG 5.0✓ Fixed in 9.0.0
2022-12-22
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the rea…

Check whether jsonwebtoken is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for jsonwebtoken CVEs against the assets you own.

Start Free Scan →