CVE-2025-65945
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2025-12-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65945
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
auth0 node-jws to 3.2.2 (exc)
auth0 node-jws 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the auth0/node-jws library versions 3.2.2 and earlier and 4.0.0, which is used for JSON Web Signature implementation in Node.js. It involves improper signature verification when using the HS256 algorithm under specific conditions. Specifically, if an application uses the jws.createVerify() function with HMAC algorithms and relies on user-provided data from the JWS protected header or payload for HMAC secret lookup, attackers can bypass the signature verification process.

Impact Analysis

This vulnerability can allow attackers to bypass signature verification, meaning they could potentially forge or tamper with JSON Web Signatures without detection. This could lead to unauthorized actions or access within applications relying on this library for secure token verification, compromising the integrity of authentication or data validation processes.

Mitigation Strategies

Upgrade auth0/node-jws to version 3.2.3 or later, or 4.0.1 or later, where the improper signature verification vulnerability has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart