VulnerableCode Package Details - pkg:npm/jwt-simple@0.5.3

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/jwt-simple@0.5.3

Essentials
History (1)

purl	pkg:npm/jwt-simple@0.5.3

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-mtzj-rqrc-syas	Signature Verification Bypass in jwt-simple Versions of `jwt-simple` prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the `decode()` function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 (symmetric algorithm) JWT with the server's public key as secret, and the package will verify it as HS256 instead of RS256 (asymmetric algorithm). ## Recommendation Upgrade to version 0.5.3 or later.	GHSA-8v5f-hp78-jgxq GMS-2019-129

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:39:19.880040+00:00	GitLab Importer	Fixing	VCID-mtzj-rqrc-syas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jwt-simple/GMS-2019-129.yml	38.6.0