7.5

CVE-2025-65945

EPSS 0.01%
Veröffentlicht 04.12.2025 18:45:37
Zuletzt bearbeitet 09.03.2026 21:19:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Auth0 ≫ Node-jws SwPlatformnode.js Version < 3.2.2

Auth0 ≫ Node-jws Version4.0.0 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.013

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x

Vendor Advisory

https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-65945

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-65945

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-65945

EUVD