CVE-2022-23539

Name of the Vulnerable Software and Affected Versions jsonwebtoken versions <=8.5.1

Description The jsonwebtoken library could be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm. Users are affected if they use an algorithm and key type combination other than those listed as unaffected. The issue has been fixed in version 9.0.0, which validates asymmetric key type and algorithm combinations.

Recommendations Update to version 9.0.0 to fix the issue. After updating, if you still intend to use invalid key type/algorithm combinations, set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.