Description
Versions of njwt prior to 1.0.0 are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function.
On Node.js 6.x or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.
Recommendation
Update the njwt package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
Related Issues
- OpenCC has an Out-of-bounds read when processing truncated UTF-8 input - Vulnerability
- Open Chinese Convert subject to Denial of Service via Out-of-bounds Read - CVE-2018-16982
- Open Chinese Convert has Out-of-bounds Write - CVE-2025-15536
- njwt Prototype Pollution vulnerability - CVE-2024-34273
You might also like:
- Tags:
- npm
- njwt
Anything's wrong? Let us know Last updated on January 09, 2023