CVE-2025-65945

HIGH

auth0/node-jws <4.0.0 - Improper Signature Verification

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-65945. PoCs published by jedisct1, adminlove520.

AI-analyzed exploit summary This PoC demonstrates a signature verification bypass in the `node-jws` library, allowing attackers to forge valid JWTs when HMAC secrets are derived from user-controlled data. The exploit leverages an empty secret to bypass validation when a non-existent key ID is provided.

Description

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Exploits (2)

nomisec WORKING POC 5 stars

by jedisct1 · poc

https://github.com/jedisct1/CVE-2025-65945-poc

View Code ZIP pw:eip

This PoC demonstrates a signature verification bypass in the `node-jws` library, allowing attackers to forge valid JWTs when HMAC secrets are derived from user-controlled data. The exploit leverages an empty secret to bypass validation when a non-existent key ID is provided.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: node-jws <= 3.2.2 and 4.0.0

No auth needed

Prerequisites: Vulnerable version of node-jws installed · Server-side code that looks up secrets based on JWT headers

MITRE ATT&CK

T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-65945

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-65945, demonstrating a signature verification bypass in the `node-jws` library. The exploit forges a JWT with an empty secret, bypassing authentication when the server fails to validate the secret properly.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: node-jws (versions <= 3.2.2 and 4.0.0)

No auth needed

Prerequisites: node-jws library installed (vulnerable version) · Bun or Node.js runtime

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x

Patch x_refsource_misc

https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (3)

auth0/node-jws 4.0.0

auth0/node-jws < 3.2.2

npm/jws 0 - 3.2.3npm

Published Dec 04, 2025

Tracked Since Feb 18, 2026