Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/jwt-simple@0.5.3
Typenpm
Namespace
Namejwt-simple
Version0.5.3
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-mtzj-rqrc-syas
vulnerability_id VCID-mtzj-rqrc-syas
summary 
Signature Verification Bypass in jwt-simple
Versions of `jwt-simple` prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the `decode()` function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 (symmetric algorithm) JWT with the server's public key as secret, and the package will verify it as HS256 instead of RS256 (asymmetric algorithm).


## Recommendation

Upgrade to version 0.5.3 or later.
references
0
reference_url https://github.com/hokaccha/node-jwt-simple/commit/ead36e1d687645da9c3be8befdaaef622ea33106
reference_id
reference_type
scores
url https://github.com/hokaccha/node-jwt-simple/commit/ead36e1d687645da9c3be8befdaaef622ea33106
1
reference_url https://www.npmjs.com/advisories/831
reference_id
reference_type
scores
url https://www.npmjs.com/advisories/831
2
reference_url https://github.com/advisories/GHSA-8v5f-hp78-jgxq
reference_id GHSA-8v5f-hp78-jgxq
reference_type
scores
url https://github.com/advisories/GHSA-8v5f-hp78-jgxq
fixed_packages
0
url pkg:npm/jwt-simple@0.5.3
purl pkg:npm/jwt-simple@0.5.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jwt-simple@0.5.3
aliases GHSA-8v5f-hp78-jgxq, GMS-2019-129
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mtzj-rqrc-syas
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/jwt-simple@0.5.3