Nebulous Program Mechanic
jsonwebtoken

Verification Bypass

Severity: critical

Overview

Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

Remediation

Update to version 4.2.2 or later.

Vulnerable versions

0.1.0
5 years ago
0.2.0
4 years ago
0.3.0
4 years ago
0.4.0
4 years ago
0.4.1
4 years ago
1.0.0
4 years ago
1.0.2
4 years ago
1.1.0
4 years ago
1.1.1
4 years ago
1.1.2
4 years ago
1.2.0
4 years ago
1.3.0
4 years ago
2.0.0
4 years ago
3.0.0
4 years ago
3.1.0
4 years ago
3.1.1
4 years ago
3.2.0
4 years ago
3.2.1
4 years ago
3.2.2
4 years ago
4.0.0
3 years ago
4.1.0
3 years ago
4.2.0
3 years ago
4.2.1
3 years ago

Unaffected versions

4.2.2
3 years ago
5.0.0
3 years ago
5.0.1
3 years ago
5.0.2
3 years ago
5.0.3
3 years ago
5.0.4
3 years ago
5.0.5
3 years ago
5.1.0
3 years ago
5.2.0
3 years ago
5.3.1
3 years ago
5.4.0
3 years ago
5.4.1
3 years ago
5.5.0
3 years ago
5.5.1
3 years ago
5.5.2
3 years ago
5.5.3
3 years ago
5.5.4
3 years ago
5.6.0
2 years ago
5.6.2
2 years ago
5.7.0
2 years ago
6.0.0
2 years ago
6.0.1
2 years ago
6.1.0
2 years ago
6.1.1
2 years ago
6.1.2
2 years ago
6.2.0
2 years ago
7.0.0
2 years ago
7.0.1
2 years ago
7.1.0
2 years ago
7.1.1
2 years ago
7.1.3
2 years ago
7.1.5
2 years ago
7.1.6
2 years ago
7.1.7
2 years ago
7.1.8
2 years ago
7.1.9
2 years ago
7.1.10
2 years ago
7.2.0
2 years ago
7.2.1
2 years ago
7.3.0
2 years ago
7.4.0
a year ago
7.4.1
a year ago
7.4.2
a year ago
7.4.3
a year ago
8.0.0
a year ago
8.0.1
a year ago
8.1.0
10 months ago
8.1.1
7 months ago
8.2.0
5 months ago
8.2.1
4 months ago
8.2.2
3 months ago
8.3.0
2 months ago

Advisory timeline

  1. Published

    Advisory published
    Apr 1st, 2015
  2. Reported

    Initial report by Tim McLean
    Oct 17th, 2015