VDB
KO
CRITICAL

GHSA-9gxv-x7rp-r2hc

gree/jose - "None" Algorithm treated as valid in tokens

Details

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / gree/jose
Introduced in: 0 Fixed in: 2.2.1
Fix composer require gree/jose:^2.2.1

References