CVE-2015-9235

Summary

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

Affected Software

VendorProductVersion RangeStatus
HackerOnejsonwebtoken node module<4.2.2affected

Weaknesses

  • CWE-20: Improper Input Validation (CWE-20)

ADP Enrichment

CVE Program Container

Additional References

References