What is CVE-2016-10555?

CVE-2016-10555 is a vulnerability in Hackerone Jwt-simple Node Module, classified under Improper Input Validation. Published 2018-05-31.

Is CVE-2016-10555 known to be exploited?

27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Improper input validation in Hackerone Jwt-simple Node Module

CVE-2016-10555

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.817 (99.2th percentile) — read the EPSS interpretation.

Affected products

Hackerone Jwt-simple Node Module — versions <=0.3.0

Weakness classification (CWE)

CWE-20 — Improper Input Validation

Public proof-of-concept exploits

References

nodesecurity.io/advisories/87 (x_refsource_MISC)
github.com/hokaccha/node-jwt-simple/pull/14 (x_refsource_MISC)
auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ (x_refsource_MISC)
github.com/hokaccha/node-jwt-simple/pull/16 (x_refsource_MISC)

Frequently asked questions

What is CVE-2016-10555?: CVE-2016-10555 is a vulnerability in Hackerone Jwt-simple Node Module, classified under Improper Input Validation. Published 2018-05-31.
Is CVE-2016-10555 known to be exploited?: 27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.