Vulnerabilities > Auth0 > Jsonwebtoken > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-23 | CVE-2022-23539 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. | 8.1 |
2022-12-22 | CVE-2022-23540 | Improper Verification of Cryptographic Signature vulnerability in Auth0 Jsonwebtoken In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. | 7.6 |
2018-05-29 | CVE-2015-9235 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). | 7.5 |