Insecure Defaults Affecting Open this link in a new tab package, versions <3.0.0

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    1 Oct 2017

  • disclosed

    31 Mar 2015

  • credit

    Tim McLean

Introduced: 31 Mar 2015

CWE-453 Open this link in a new tab


Affected version of could lead to authentication bypass vulnerability when used incorrectly. To address the issue, as of version 3.0.0, key types are not compatible across signing methods.

Release notes: Dropped support for []byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.