Insecure Defaults Affecting package, versions <3.0.0

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    1 Oct 2017

  • disclosed

    31 Mar 2015

  • credit

    Tim McLean


Affected version of could lead to authentication bypass vulnerability when used incorrectly. To address the issue, as of version 3.0.0, key types are not compatible across signing methods.

Release notes: Dropped support for []byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.