CRITICAL
GHSA-9gxv-x7rp-r2hc
gree/jose - "None" Algorithm treated as valid in tokens
Details
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries [WEB]
- https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/gree/jose/2016-08-30.yaml [WEB]
- https://github.com/nov/jose-php [PACKAGE]
- https://github.com/nov/jose-php/compare/2.2.0...2.2.1 [WEB]