CVE-2016-10525

CRITICAL

hapi-auth-jwt2 5.1.1 - Unauthenticated Authentication Bypass via 'try' Mode

Title source: llm
STIX 2.1

Description

When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/81
Third Party Advisory x_refsource_misc
https://github.com/dwyl/hapi-auth-jwt2/pull/112
Patch, Third Party Advisory x_refsource_misc
https://github.com/dwyl/hapi-auth-jwt2/issues/111

Scores

CVSS v3 9.8
EPSS 0.0252
EPSS Percentile 82.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (2)
dwyl/hapi-auth-jwt2 < 5.1.1
npm/hapi-auth-jwt2 5.1.1 - 5.1.2npm
Published May 29, 2018
Tracked Since Feb 18, 2026