Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
Vulnerability Description
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Vulnerability Type
认证机制不恰当
Vulnerability Title
jsonwebtoken 数据伪造问题漏洞
Vulnerability Description
jsonwebtoken是Auth0开源的一个 JSON Web 令牌的实现。 jsonwebtoken 8.5.1版本及之前版本存在数据伪造问题漏洞,该漏洞源于默认使用“none”算法进行签名验证,jwt.verify 函数中缺少算法定义,可能会导致绕过签名验证。
CVSS Information
N/A
Vulnerability Type
N/A