Improper Input Validation The advisory has been revoked - it doesn't affect any version of package jsonwebtoken Open this link in a new tab

Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 22 Dec 2022
  • disclosed 22 Dec 2022
  • credit Palo Alto Networks


This was deemed not a vulnerability.


jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric) Affected versions of this package are vulnerable to Improper Input Validation.


This vulnerability was revoked after ongoing community discussion due to the unreasonable exploitability requirements stated below. The pre-requisite being that an attacker would have to have the ability to modify the source code in order to execute this vulnerability.

Original Description

If a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).


Users are affected only if they are allowing untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control.