VDB
CVE-2015-9235
CVE-2015-9235
PUBLISHED
CVSS 9.800000190734863 CRITICAL
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
EPSS 37.48% · 97.3th percentile
Risk Scores
CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
37.48%
97.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| HackerOne | jsonwebtoken node module | * |
| auth0 | jsonwebtoken | 0 |
| npm | jsonwebtoken | 0 |
Timeline
- May 29, 2018 CVE Published
- Jan 8, 2021 CVE Updated
- Feb 4, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 17, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- May 24, 2023 EPSS Score
- Jul 15, 2023 EPSS Score
- Oct 28, 2023 EPSS Score
- Dec 20, 2023 EPSS Score
References
- https://nodesecurity.io/advisories/17 url
- https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 url
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ url
- https://www.timmclean.net/2015/02/25/jwt-alg-none.html url
- https://nvd.nist.gov/vuln/detail/CVE-2015-9235 advisory
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries url
- https://github.com/advisories/GHSA-c7hr-j4mj-j2w6 advisory
- https://www.npmjs.com/advisories/17 url