CVE-2016-10555: Forgeable Public/Private Tokens in jwt-simple
(updated )
Since “algorithm” isn’t enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA’s public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
References
- auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- github.com/advisories/GHSA-vgrx-w6rg-8fqf
- github.com/hokaccha/node-jwt-simple/commit/957957cfa44474049b4603b293569588ee9ffd97
- github.com/hokaccha/node-jwt-simple/pull/14
- github.com/hokaccha/node-jwt-simple/pull/16
- nodesecurity.io/advisories/87
- nvd.nist.gov/vuln/detail/CVE-2016-10555
- www.npmjs.com/advisories/87
Detect and mitigate CVE-2016-10555 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →