CVE-2025-65945— auth0/node-jws improper HMAC signature verification vulnerability

auth0/node-jws improper HMAC signature verification vulnerability

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

密码学签名的验证不恰当

node-jws 数据伪造问题漏洞

node-jws是Auth0开源的一个JSON Web签名库。 node-jws 3.2.2及之前版本和4.0.0版本存在数据伪造问题漏洞，该漏洞源于HS256算法签名验证不当，可能导致签名验证绕过。

N/A

N/A