serverless-jwt icon indicating copy to clipboard operation
serverless-jwt copied to clipboard
verified publisher icon sandrinodimattia

vulnerable package version of jsonwebtoken

Open MarciB-IT opened this issue 2 years ago • 1 comments

While I was doing a npm audit for my Repo, I saw that there is a vulnerab package used and should be updated:

# npm audit report

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6

No fix available

node_modules/jsonwebtoken
  @serverless-jwt/jwt-verifier  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@serverless-jwt/jwt-verifier

2 moderate severity vulnerabilities

The fix should thus be to use version 9 of jsonwebtoken.

MarciB-IT avatar Dec 20 '23 17:12 MarciB-IT

Bumping this up. @sandrinodimattia any chance we can get a quick update of this package?

KenEucker avatar Dec 04 '25 04:12 KenEucker