Closed skt1598 closed 1 year ago
Hi @skt1598, We have reviewed the vulnerabilities in jsonwebtoken v8, and have updated our twilio-node v4 release candidate to v9: https://github.com/twilio/twilio-node/blob/4.0.0-rc/package.json#L26
Duplicate Issue https://github.com/twilio/twilio-node/issues/846
Introduced through: twilio@3.84.1 › jsonwebtoken@8.5.1
Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey argument due to misconfigurations of the key retrieval function jwt.verify(). Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. Ref: https://security.snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024