CVE-2016-1000223

Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.

Recommendation

Update to version 3.0.0 or later.

Published: Sep 1, 2020
Updated: Apr 14, 2023
CVE: CVE-2016-1000223
GHSA: GHSA-gjcw-v447-2w7q
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
brianloveswords / jws	-	3.0.0

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
https://snyk.io/vuln/npm:jws:20160726
https://www.npmjs.com/advisories/88

Vulnerability Database

289,599

CVE-2016-1000223

Recommendation