CVE-2025-65945

Name of the Vulnerable Software and Affected Versions auth0/node-jws versions 3.2.2 and earlier auth0/node-jws version 4.0.0

Description auth0/node-jws is a JSON Web Signature implementation for Node.js. A flaw exists in signature verification when using the HS256 algorithm under specific conditions. Applications utilizing the jws.createVerify() function for HMAC algorithms, and incorporating user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, may be susceptible to bypassing signature verification. The issue occurs when the username or other user-controlled data is used directly or indirectly in the process of generating the HMAC key.

Recommendations Update to auth0/node-jws version 3.2.3 or later. Update to auth0/node-jws version 4.0.1 or later.