Description
Versions of njwt prior to 1.0.0 are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function.
On Node.js 6.x or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.
Recommendation
Update the njwt package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
Related Issues
- Open Chinese Convert subject to Denial of Service via Out-of-bounds Read - CVE-2018-16982
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- njwt Prototype Pollution vulnerability - CVE-2024-34273
- cookie accepts cookie name, path, and domain with out of bounds characters - CVE-2024-47764
- Tags:
- npm
- njwt
Anything's wrong? Let us know Last updated on January 09, 2023