Vulnerabilities > Auth0 > Jsonwebtoken > High

DATE CVE VULNERABILITY TITLE RISK
2022-12-23 CVE-2022-23539 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification.
network
low complexity
auth0 CWE-327
8.1
2022-12-22 CVE-2022-23540 Improper Verification of Cryptographic Signature vulnerability in Auth0 Jsonwebtoken
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.
network
low complexity
auth0 CWE-347
7.6
2018-05-29 CVE-2015-9235 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
network
low complexity
auth0 CWE-327
7.5