jws@0.2.2 vulnerabilities

Implementation of JSON Web Signatures

  • latest version

    4.0.0

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    5 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the jws package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Forgeable Public/Private Tokens

    jws is an implementation of JSON Web Signatures. Affected versions of this package are vulnerable to an Authentication Bypass attack, due to the "algorithm" not being enforced in jws.verify(). Attackers are given the opportunity to choose the algorithm sent to the server and generate signatures with arbitrary contents. The server expects an asymmetric key (RSA) but is sent a symmetric key (HMAC-SHA) with RSA's public key, so instead of going through a key validation process, the server will think the public key is actually an HMAC private key.

    How to fix Forgeable Public/Private Tokens?

    Upgrade jws to version 3.0.0 or later.

    <3.0.0