Nurturing Palpable Magnificence


Severity: high

Forgeable Public/Private Tokens



Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.


Update to version 3.0.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jul 26th, 2016
  2. reported

    Initial report by Brian Brennan and Tim McLean
    Mar 22nd, 2016