CNNVD-202512-484 Information

CNNVD ID

CNNVD-202512-484

Related CVE

CVE-2025-65945

• CNNVD Published: 2025-12-04

Description (Chinese)

node-jws是Auth0开源的一个JSON Web签名库。 node-jws 3.2.2及之前版本和4.0.0版本存在数据伪造问题漏洞，该漏洞源于HS256算法签名验证不当，可能导致签名验证绕过。

Description (English)

Node-jws is a JSON Web signing house for Auth0 open source. Node-jws 3.2.2 and previous and 4.0.0 have a loophole in the problem of data forgery, which stems from the improper authentication of the HS256 algorithm signature, which may lead to a circumvention of the signature authentication.

Hazard Level

Medium

Vulnerability Type

数据伪造问题

Affected Vendor

Auth0

Published

2025-12-04

Last Modified

2026-02-24

References

https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x

Patch

https://github.com/auth0/node-jws