Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function:

a token with no signature is received
no algorithms are specified
a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

References

julienwoll published to auth0/node-jsonwebtoken Dec 21, 2022

Published to the GitHub Advisory Database Dec 22, 2022

Reviewed Dec 22, 2022

Published by the National Vulnerability Database Dec 22, 2022

Last updated Jun 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Package

Affected versions

Patched versions

Description

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code