CVE-2016-10555
Forgeable Public/Private Tokens in jwt-simple
EPSS 81.7%
Description
Affected versions of the `jwt-simple` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort. ## Recommendation Update to version 0.3.1 or later. Additionally, be sure to always specify an algorithm in calls to `.decode()`.
How to fix CVE-2016-10555
To remediate CVE-2016-10555, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.1 or later
Is CVE-2016-10555 being exploited?
Likely — EPSS is 81.7%, placing CVE-2016-10555 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 0.3.1