Vulnerable Package issue exists @ Npm-jsonwebtoken-5.0.0 in branch main
Versions prior to 9.0.0 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, which removes the default support for the none algorithm in the jwt.verify() method and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.
Vulnerable Package issue exists @ Npm-jsonwebtoken-5.0.0 in branch main
Versions prior to 9.0.0 of
jsonwebtokenlibrary, lack of algorithm definition in thejwt.verify()function can lead to signature validation bypass due to defaulting to thenonealgorithm for signature verification. Users are affected if you do not specify algorithms in thejwt.verify()function. This issue has been fixed, which removes the default support for the none algorithm in thejwt.verify()method and you don’t need to allow for thenonealgorithm. If you need 'none' algorithm, you have to explicitly specify that injwt.verify()options.Namespace: westonphillips Repository: CheckmarxOnePOV Repository Url: https://github.com/westonphillips/CheckmarxOnePOV CxAST-Project: westonphillips/CheckmarxOnePOV CxAST platform scan: 6a8170d0-38fa-4efc-81df-42628474102c Branch: main Application: CheckmarxOnePOV Severity: HIGH State: NOT_IGNORED Status: RECURRENT CWE: CWE-327
Additional Info Attack vector: NETWORK Attack complexity: LOW Confidentiality impact: LOW Availability impact: LOW Remediation Upgrade Recommendation: 9.0.0
References Advisory Commit Release Note