Bug 2418904 (CVE-2025-65945) - CVE-2025-65945 node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm
Summary: CVE-2025-65945 node-jws: auth0/node-jws: Improper signature verification in H...
Keywords:
Status: NEW
Alias: CVE-2025-65945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-04 19:01 UTC by OSIDB Bzimport
Modified: 2025-12-16 09:17 UTC (History)
47 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-04 19:01:38 UTC 
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Comment 2 Jean-frederic Clere 2025-12-16 09:17:16 UTC 
Just a note that JWS here has nothing to do with JWS/Tomcat, it is a npm package that use JSON Web Signatures.
Note You need to log in before you can comment on or make changes to this bug.