jsonwebtoken — CVE history (npm)
jsonwebtoken
4 CVEs affect the jsonwebtoken npm package (highest CVSS 9.8). Latest disclosed: 2022-12-23. Full CVE history sourced from NVD.
Summary
- Package
jsonwebtoken(npm)- Total CVEs
4- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2022-12-23
Recent CVEs (top 4)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-23539 | Medium | 5.9 | — | 2022-12-23 | Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. |
CVE-2022-23540 | Medium | 6.4 | — | 2022-12-22 | In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. |
CVE-2022-23541 | Medium | 5.0 | — | 2022-12-22 | jsonwebtoken is an implementation of JSON Web Tokens. |
CVE-2015-9235 | Critical | 9.8 | — | 2018-05-29 | In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a… |
All-time worst (top 4 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2015-9235 | Critical | 9.8 | — | 2018-05-29 | In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a… |
CVE-2022-23540 | Medium | 6.4 | — | 2022-12-22 | In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. |
CVE-2022-23539 | Medium | 5.9 | — | 2022-12-23 | Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. |
CVE-2022-23541 | Medium | 5.0 | — | 2022-12-22 | jsonwebtoken is an implementation of JSON Web Tokens. |