npm

Severity: critical

Verification Bypass

jsonwebtoken

Overview

Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

Remediation

Update to version 4.2.2 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Tim McLean
    Oct 17th, 2015
  2. published

    Advisory published
    Apr 1st, 2015