jsonwebtoken — CVE history (npm)

jsonwebtoken

4 CVEs affect the jsonwebtoken npm package (highest CVSS 9.8). Latest disclosed: 2022-12-23. Full CVE history sourced from NVD.

Summary

Package
jsonwebtoken (npm)
Total CVEs
4
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2022-12-23

Recent CVEs (top 4)

CVESeverityCVSSKEVPublishedSummary
CVE-2022-23539Medium5.92022-12-23Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification.
CVE-2022-23540Medium6.42022-12-22In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.
CVE-2022-23541Medium5.02022-12-22jsonwebtoken is an implementation of JSON Web Tokens.
CVE-2015-9235Critical9.82018-05-29In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a…

All-time worst (top 4 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2015-9235Critical9.82018-05-29In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a…
CVE-2022-23540Medium6.42022-12-22In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.
CVE-2022-23539Medium5.92022-12-23Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification.
CVE-2022-23541Medium5.02022-12-22jsonwebtoken is an implementation of JSON Web Tokens.