Description
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs).
Recommendation
Update the node-jose package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.11.0
- Patched version(s): 0.11.0
References
- GHSA-jfxm-w8g2-4rcv
- tools.cisco.com
- www.exploit-db.com
- web.archive.org
- CVE-2018-0114
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- ejson shell parser in MongoDB Compass maybe bypassed - CVE-2024-6376
- Tags:
- npm
- node-jose
Anything's wrong? Let us know Last updated on October 14, 2023