org.webjars.npm:jsonwebtoken 8.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:jsonwebtoken package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Use of a Broken or Risky Cryptographic Algorithm Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm. How to fix Use of a Broken or Risky Cryptographic Algorithm? There is no fixed version for `org.webjars.npm:jsonwebtoken`.	[0,)
M Improper Restriction of Security Token Assignment Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the `secretOrPublicKey` argument due to misconfigurations of the key retrieval function `jwt.verify()`. Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. Note: This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in `jwt.verify()` implementation with the same key retrieval function. How to fix Improper Restriction of Security Token Assignment? There is no fixed version for `org.webjars.npm:jsonwebtoken`.	[0,)
M Improper Authentication Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. How to fix Improper Authentication? There is no fixed version for `org.webjars.npm:jsonwebtoken`.	[0,)

Vulnerability

Vulnerable Version

Use of a Broken or Risky Cryptographic Algorithm

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

There is no fixed version for org.webjars.npm:jsonwebtoken.

[0,)

Improper Restriction of Security Token Assignment

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey argument due to misconfigurations of the key retrieval function jwt.verify(). Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.

Note: This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in jwt.verify() implementation with the same key retrieval function.

How to fix Improper Restriction of Security Token Assignment?

There is no fixed version for org.webjars.npm:jsonwebtoken.

[0,)

Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

How to fix Improper Authentication?

There is no fixed version for org.webjars.npm:jsonwebtoken.

[0,)

org.webjars.npm:jsonwebtoken@8.2.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?