Versions 4.2.1 and earlier of
jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.
Update to version 4.2.2 or later.
reportedInitial report by Tim McLeanOct 17th, 2015
publishedAdvisory publishedApr 1st, 2015