PT-2018-4549 · Json Web Token · Jsonwebtoken

Published

2018-05-29

Updated

2026-06-04

CVE-2015-9235

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions jsonwebtoken versions 4.2.1 and earlier

Description The issue allows an attacker to bypass verification when a token digitally signed with an asymmetric key is sent, but the attacker instead sends a token digitally signed with a symmetric algorithm. This is due to weak validation of the JWT algorithm type, which occurs when an attacker is allowed to arbitrarily specify the JWT algorithm.

Recommendations Update to version 4.2.2 or later.

Exploit

Fix

Use of a Broken Cryptographic Algorithm

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-327CWE-20

Related Identifiers

CVE-2015-9235

GHSA-C7HR-J4MJ-J2W6

Affected Products

Jsonwebtoken

PT-2018-4549 · Json Web Token · Jsonwebtoken

CVE-2015-9235

Weakness Enumeration

Related Identifiers

Affected Products

References · 10