CVE-2020-15084

Name of the Vulnerable Software and Affected Versions express-jwt versions 5.3.3 and earlier

Description The issue arises when the algorithms entry is not specified in the configuration, potentially leading to authorization bypass when used with libraries like jwks-rsa as the secret. This occurs because the algorithms entry is not being enforced in versions up to and including 5.3.3. To be affected, one must be using express-jwt, not have algorithms configured, and use libraries such as jwks-rsa as the secret.

Recommendations For express-jwt versions 5.3.3 and earlier, specify algorithms in the express-jwt configuration to fix the issue. For example, configure algorithms as ['RS256'] to restrict allowed algorithms. This change will not impact users if algorithms was already specified, as the patch makes algorithms a required configuration.