CVE-2025-65945
BaseFortify
Publication date: 2025-12-04
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auth0 | node-jws | to 3.2.2 (exc) |
| auth0 | node-jws | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the auth0/node-jws library versions 3.2.2 and earlier and 4.0.0, which is used for JSON Web Signature implementation in Node.js. It involves improper signature verification when using the HS256 algorithm under specific conditions. Specifically, if an application uses the jws.createVerify() function with HMAC algorithms and relies on user-provided data from the JWS protected header or payload for HMAC secret lookup, attackers can bypass the signature verification process.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass signature verification, meaning they could potentially forge or tamper with JSON Web Signatures without detection. This could lead to unauthorized actions or access within applications relying on this library for secure token verification, compromising the integrity of authentication or data validation processes.
What immediate steps should I take to mitigate this vulnerability?
Upgrade auth0/node-jws to version 3.2.3 or later, or 4.0.1 or later, where the improper signature verification vulnerability has been patched.