CVE-2016-10555

MEDIUM

Jwt-simple < 0.3.0 - Improper Input Validation

Title source: rule

Description

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

Exploits (4)

nomisec WORKING POC 282 stars

by z-bool · poc

https://github.com/z-bool/Venom-JWT

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by CircuitSoul · poc

https://github.com/CircuitSoul/poc-cve-2016-10555

View Code ZIP pw:eip

nomisec WORKING POC

by scent2d · poc

https://github.com/scent2d/PoC-CVE-2016-10555

View Code ZIP pw:eip

inthewild

poc

https://github.com/thepcn3rd/jwttoken-cve-2016-10555

View on inthewild

References (4)

[Broken Link, Third Party Advisory] https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

[Issue Tracking, Third Party Advisory] https://github.com/hokaccha/node-jwt-simple/pull/14

[Issue Tracking, Third Party Advisory] https://github.com/hokaccha/node-jwt-simple/pull/16

[Third Party Advisory] https://nodesecurity.io/advisories/87

Scores

CVSS v3 6.5

EPSS 0.8189

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-310 CWE-20

Status published

Products (2)

jwt-simple_project/jwt-simple < 0.3.0

npm/jwt-simple 0 - 0.3.1npm

Published May 31, 2018

Tracked Since Feb 18, 2026