Vulnerability Description
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Auth0 | Jsonwebtoken | < 4.2.2 |
Related Weaknesses (CWE)
References
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libBroken LinkVendor Advisory
- https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673PatchThird Party Advisory
- https://nodesecurity.io/advisories/17Third Party Advisory
- https://www.timmclean.net/2015/02/25/jwt-alg-none.htmlExploitThird Party Advisory
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libBroken LinkVendor Advisory
- https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673PatchThird Party Advisory
- https://nodesecurity.io/advisories/17Third Party Advisory
- https://www.timmclean.net/2015/02/25/jwt-alg-none.htmlExploitThird Party Advisory
FAQ
What is CVE-2015-9235?
CVE-2015-9235 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacke...
How severe is CVE-2015-9235?
CVE-2015-9235 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-9235?
Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Jsonwebtoken.