Affected versions of the `jwt-simple` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.

## Recommendation

Update to version 0.3.1 or later.

Additionally, be sure to always specify an algorithm in calls to `.decode()`.

Affected Packages

npm jwt-simple

Affected versions: 0 (fixed in 0.3.1)

Related CVEs

CVE-2016-10555

Key Information

GHSA ID

GHSA-vgrx-w6rg-8fqf

Published

November 6, 2018 11:12 PM

Last Modified

August 31, 2020 6:10 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

jwt-simple

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:20 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.