CVE

CVE-2025-65945

auth0/node-jws improper HMAC signature verification vulnerability

CVE

CVE-2025-65945

auth0/node-jws improper HMAC signature verification vulnerability

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.5

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65945.json, https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e, https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x, https://nvd.nist.gov/vuln/detail/CVE-2025-65945

Severity

7.5

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.5

EPSS Probability

0.00009%

EPSS Percentile

0.00691%

Introduced Version

0,1389f6d3d018b2da4af0167f48e44f90d811ae87

Fix Available

4f6e73f24df42f07d632dec6431ade8eda8d11a6

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-65945

CVE-2025-65945

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.5

Basic Information

Fix Critical Vulnerabilities Instantly