CVE-2016-10555

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-10555
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10555.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-10555
Aliases
Published
2018-05-31T20:29:02.067Z
Modified
2026-03-15T22:04:47.386663Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

References

Affected packages

Git / github.com/hokaccha/node-jwt-simple

Affected ranges

Type
GIT
Repo
https://github.com/hokaccha/node-jwt-simple
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3977b63548f466c8f2bdf4d881e1ed957dc23589
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.3.0"
        }
    ]
}

Affected versions

v0.*
v0.3.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10555.json"