Versions of `hapi-auth-jwt2` prior to version 5.1.2 are affected by a complete authentication bypass vulnerability when in the `try` authentication mode.

## Recommendation

Update to version 5.1.2 or later.

Affected Packages

npm hapi-auth-jwt2

Affected versions: 5.1.1 (fixed in 5.1.2)

Related CVEs

CVE-2016-10525

Key Information

GHSA ID

GHSA-mg8r-9g6j-hwv9

Published

February 18, 2019 11:39 PM

Last Modified

September 15, 2021 6:58 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

hapi-auth-jwt2

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.