Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.

## Recommendation

Update to version 4.2.2 or later.

Affected Packages

npm jsonwebtoken

Affected versions: 0 (fixed in 4.2.2)

Related CVEs

CVE-2015-9235

Key Information

GHSA ID

GHSA-c7hr-j4mj-j2w6

Published

October 9, 2018 12:38 AM

Last Modified

August 31, 2020 6:07 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

jsonwebtoken

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.