Verification Bypass

Module: jsonwebtoken

Published: April 1st, 2015

Reported by: Tim McLean

CVE-NONE

CWE-287

Vulnerable: <4.2.2
Patched: >=4.2.2

Overview

Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

Remediation

Update to version 4.2.2 or later.

References