CVE-2025-65945
auth0/node-jws Improperly Verifies HMAC Signature
Description
### Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. ### Am I Affected? You are affected by this vulnerability if you meet all of the following preconditions: 1. Application uses the auth0/node-jws implementation of JSON Web Signatures, versions <=3.2.2 || 4.0.0 2. Application uses the jws.createVerify() function for HMAC algorithms 3. Application uses user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines You are NOT affected by this vulnerability if you meet any of the following preconditions: 1. Application uses the jws.verify() interface (note: `auth0/node-jsonwebtoken` users fall into this category and are therefore NOT affected by this vulnerability) 2. Application uses only asymmetric algorithms (e.g. RS256) 3. Application doesn’t use user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines ### Fix Upgrade auth0/node-jws version to version 3.2.3 or 4.0.1 ### Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.
How to fix CVE-2025-65945
To remediate CVE-2025-65945, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.3 or later
Is CVE-2025-65945 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.2.3
CVSS scores
| Source |
|---|