jsonwebtoken is vulnerable to improper input validation. A remote attacker is able to write arbitrary files on the host machine via the secretOrPublicKey
argument from the readme link of the jwt.verify()
function due to improper input validation. The vulnerability is only possible if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify()
on a host that you control.
CPE | Name | Operator | Version |
---|---|---|---|
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 7.1.0 | |
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 8.5.1 | |
jsonwebtoken | le | 7.1.0 | |
jsonwebtoken | le | 8.5.1 |