Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/jws@0.2.1
Typenpm
Namespace
Namejws
Version0.2.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.3
Latest_non_vulnerable_version4.0.1
Affected_by_vulnerabilities
0
url VCID-dby1-4b7h-6fa2
vulnerability_id VCID-dby1-4b7h-6fa2
summary auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65945.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65945.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-65945
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03676
published_at 2026-06-11T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.03701
published_at 2026-06-14T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.03687
published_at 2026-06-13T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.03694
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-65945
2
reference_url https://github.com/auth0/node-jws
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/node-jws
3
reference_url https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6
4
reference_url https://github.com/auth0/node-jws/releases/tag/v3.2.3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/node-jws/releases/tag/v3.2.3
5
reference_url https://github.com/auth0/node-jws/releases/tag/v4.0.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/node-jws/releases/tag/v4.0.1
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2418904
reference_id 2418904
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2418904
7
reference_url https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
reference_id 34c45b2c04434f925b638de6a061de9339c0ea2e
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-05T18:31:41Z/
url https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-65945
reference_id CVE-2025-65945
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-65945
9
reference_url https://github.com/advisories/GHSA-869p-cjfg-cm3x
reference_id GHSA-869p-cjfg-cm3x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-869p-cjfg-cm3x
10
reference_url https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
reference_id GHSA-869p-cjfg-cm3x
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-05T18:31:41Z/
url https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
11
reference_url https://access.redhat.com/errata/RHSA-2026:0261
reference_id RHSA-2026:0261
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:0261
12
reference_url https://access.redhat.com/errata/RHSA-2026:0531
reference_id RHSA-2026:0531
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:0531
13
reference_url https://access.redhat.com/errata/RHSA-2026:1730
reference_id RHSA-2026:1730
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1730
14
reference_url https://access.redhat.com/errata/RHSA-2026:1942
reference_id RHSA-2026:1942
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1942
15
reference_url https://access.redhat.com/errata/RHSA-2026:2456
reference_id RHSA-2026:2456
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2456
16
reference_url https://access.redhat.com/errata/RHSA-2026:2681
reference_id RHSA-2026:2681
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2681
17
reference_url https://access.redhat.com/errata/RHSA-2026:2754
reference_id RHSA-2026:2754
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2754
18
reference_url https://access.redhat.com/errata/RHSA-2026:2762
reference_id RHSA-2026:2762
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2762
19
reference_url https://access.redhat.com/errata/RHSA-2026:2921
reference_id RHSA-2026:2921
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2921
20
reference_url https://access.redhat.com/errata/RHSA-2026:2922
reference_id RHSA-2026:2922
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2922
21
reference_url https://access.redhat.com/errata/RHSA-2026:2926
reference_id RHSA-2026:2926
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2926
22
reference_url https://access.redhat.com/errata/RHSA-2026:4185
reference_id RHSA-2026:4185
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:4185
23
reference_url https://access.redhat.com/errata/RHSA-2026:4215
reference_id RHSA-2026:4215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:4215
fixed_packages
0
url pkg:npm/jws@3.2.3
purl pkg:npm/jws@3.2.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jws@3.2.3
1
url pkg:npm/jws@4.0.1
purl pkg:npm/jws@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jws@4.0.1
aliases CVE-2025-65945, GHSA-869p-cjfg-cm3x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dby1-4b7h-6fa2
1
url VCID-fc4n-c7ge-8yar
vulnerability_id VCID-fc4n-c7ge-8yar
summary Forgeable Public/Private Tokens in jws
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-1000223
reference_id
reference_type
scores
0
value 0.01798
scoring_system epss
scoring_elements 0.83252
published_at 2026-06-14T12:55:00Z
1
value 0.01798
scoring_system epss
scoring_elements 0.83256
published_at 2026-06-13T12:55:00Z
2
value 0.01798
scoring_system epss
scoring_elements 0.83247
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-1000223
1
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
2
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3
scoring_elements
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
3
reference_url https://github.com/brianloveswords/node-jws
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/brianloveswords/node-jws
4
reference_url https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3
scoring_elements
1
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
5
reference_url https://snyk.io/vuln/npm:jws:20160726
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/npm:jws:20160726
6
reference_url https://www.npmjs.com/advisories/88
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/88
7
reference_url https://github.com/nodejs/security-wg/blob/main/vuln/npm/88.json
reference_id 88
reference_type
scores
0
value 8.7
scoring_system cvssv3
scoring_elements
url https://github.com/nodejs/security-wg/blob/main/vuln/npm/88.json
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-1000223
reference_id CVE-2016-1000223
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-1000223
9
reference_url https://github.com/advisories/GHSA-gjcw-v447-2w7q
reference_id GHSA-gjcw-v447-2w7q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gjcw-v447-2w7q
fixed_packages
0
url pkg:npm/jws@3.0.0
purl pkg:npm/jws@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dby1-4b7h-6fa2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jws@3.0.0
aliases CVE-2016-1000223, GHSA-gjcw-v447-2w7q, GMS-2020-742
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fc4n-c7ge-8yar
2
url VCID-fjpa-s946-67e2
vulnerability_id VCID-fjpa-s946-67e2
summary 
Forgeable Public/Private Tokens
Since "algorithm" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
references
0
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
1
reference_url https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
reference_id
reference_type
scores
url https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
fixed_packages
0
url pkg:npm/jws@3.0.0
purl pkg:npm/jws@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dby1-4b7h-6fa2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jws@3.0.0
aliases GMS-2016-54
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fjpa-s946-67e2
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/jws@0.2.1