In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learningThis was deemed not a vulnerability.
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)
Affected versions of this package are vulnerable to Improper Input Validation.
This vulnerability was revoked after ongoing community discussion due to the unreasonable exploitability requirements stated below. The pre-requisite being that an attacker would have to have the ability to modify the source code in order to execute this vulnerability.
If a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey
argument from the readme link) of the jwt.verify()
function, they can gain remote code execution (RCE).
Users are affected only if they are allowing untrusted entities to modify the key retrieval parameter of the jwt.verify()
on a host that they control.
Note: CVE-2022-23529 has been retracted because it was found to be invalid. The issue is not a vulnerability.