Verification Bypass

Module: jsonwebtoken

Published: April 1st, 2015

Reported by: Tim McLean

CVE-NONE

CWE-

Vulnerable: <4.2.2
Patched: >=4.2.2

Overview

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]

Remediation

Update to a version 4.2.2 or greater

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo