Forgeable Public/Private Tokensjws
Affected versions of the
jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.
Update to version 3.0.0 or later.
publishedAdvisory publishedJul 26th, 2016
reportedInitial report by Brian Brennan and Tim McLeanMar 22nd, 2016