CVE-2025-65945

High CVSS: 7.5

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Vendor

Auth0

Product

Node-jws

CWE

CWE-347

Yayın Tarihi

2025-12-04 19:16:05

Güncelleme

2026-03-09 21:19:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-347 Node-jws HIGH Auth0 2025

Referanslar

https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x

Benzer Kayıtlar

High

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in app…

Medium

CVE-2025-68129

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the a…

Medium

CVE-2025-67716

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through…

Medium

CVE-2025-67490

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.1…