jws 1.0.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the jws package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Verification of Cryptographic Signature jws is an Implementation of JSON Web Signatures Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the `createVerify` function when using HS256 HMAC algorithms and incorporating user-provided data from the JSON Web Signature Protected Header or Payload in HMAC secret lookup routines. An attacker can bypass signature verification by manipulating the header or payload to influence the secret lookup process. Note: This is only exploitable if the application uses the `createVerify` function for HMAC algorithms - and not the `jws.verify()` interface - and relies on user-provided data from the header or payload in secret lookup routines. How to fix Improper Verification of Cryptographic Signature? Upgrade `jws` to version 3.2.3, 4.0.1 or higher.	<3.2.3>=4.0.0 <4.0.1
H Forgeable Public/Private Tokens `jws` is an implementation of JSON Web Signatures. Affected versions of this package are vulnerable to an Authentication Bypass attack, due to the "algorithm" not being enforced in `jws.verify()`. Attackers are given the opportunity to choose the algorithm sent to the server and generate signatures with arbitrary contents. The server expects an asymmetric key (RSA) but is sent a symmetric key (HMAC-SHA) with RSA's public key, so instead of going through a key validation process, the server will think the public key is actually an HMAC private key. How to fix Forgeable Public/Private Tokens? Upgrade `jws` to version `3.0.0` or later.	<3.0.0

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

jws is an Implementation of JSON Web Signatures

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the createVerify function when using HS256 HMAC algorithms and incorporating user-provided data from the JSON Web Signature Protected Header or Payload in HMAC secret lookup routines. An attacker can bypass signature verification by manipulating the header or payload to influence the secret lookup process.

Note:

This is only exploitable if the application uses the createVerify function for HMAC algorithms - and not the jws.verify() interface - and relies on user-provided data from the header or payload in secret lookup routines.

How to fix Improper Verification of Cryptographic Signature?

Upgrade jws to version 3.2.3, 4.0.1 or higher.

<3.2.3>=4.0.0 <4.0.1

Forgeable Public/Private Tokens

jws is an implementation of JSON Web Signatures. Affected versions of this package are vulnerable to an Authentication Bypass attack, due to the "algorithm" not being enforced in jws.verify(). Attackers are given the opportunity to choose the algorithm sent to the server and generate signatures with arbitrary contents. The server expects an asymmetric key (RSA) but is sent a symmetric key (HMAC-SHA) with RSA's public key, so instead of going through a key validation process, the server will think the public key is actually an HMAC private key.

How to fix Forgeable Public/Private Tokens?

Upgrade jws to version 3.0.0 or later.

<3.0.0

jws@1.0.0 vulnerabilities

Implementation of JSON Web Signatures

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically