Julienwoll

**Name of the Vulnerable Software and Affected Versions** jsonwebtoken versions <=8.5.1 **Description** The jsonwebtoken library could be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm. Users are affected if they use an algorithm and key type combination other than those listed as unaffected. The issue has been fixed in version 9.0.0, which validates asymmetric key type and algorithm combinations. **Recommendations** Update to version 9.0.0 to fix the issue. After updating, if you still intend to use invalid key type/algorithm combinations, set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.

**Name of the Vulnerable Software and Affected Versions** jsonwebtoken versions <=8.5.1 **Description** The issue arises from the lack of algorithm definition in the `jwt.verify()` function, leading to a signature validation bypass due to defaulting to the `none` algorithm for signature verification. This occurs when no algorithms are specified in the `jwt.verify()` function and a falsy secret or key is used. Users are affected if they receive a token with no signature, do not specify algorithms, and pass a falsy secret or key. **Recommendations** For jsonwebtoken versions <=8.5.1, update to version 9.0.0 to remove the default support for the `none` algorithm in the `jwt.verify()` method. If the `none` algorithm is needed, explicitly specify it in the `jwt.verify()` options.

**Name of the Vulnerable Software and Affected Versions** jsonwebtoken versions <= 8.5.1 **Description** The jsonwebtoken library can be misconfigured, leading to incorrect verification of tokens. This occurs when a poorly implemented key retrieval function is used, referring to the `secretOrPublicKey` argument. As a result, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm, allowing for successful validation of forged tokens. This issue affects applications that support both symmetric and asymmetric keys in the jwt.verify() implementation with the same key retrieval function. **Recommendations** Update to version 9.0.0 to resolve the issue. If you are currently using a version of jsonwebtoken that is <= 8.5.1, updating to version 9.0.0 will fix the problem. As a temporary workaround, consider reviewing and correcting your key retrieval function to ensure it properly handles both symmetric and asymmetric keys. Restrict access to the jwt.verify() function to minimize the risk of exploitation until the update is applied.