N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10555

GHSA ID

GHSA-vgrx-w6rg-8fqf

EPSS Score

0.9929%

CWE

CWE-20

Published

11/6/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10555

CVE-2016-10555:
Forgeable Public/Private Tokens in jwt-simple

Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.

Recommendation

Update to version 0.3.1 or later.

Additionally, be sure to always specify an algorithm in calls to .decode().

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10555

GHSA ID

GHSA-vgrx-w6rg-8fqf

EPSS Score

0.9929%

CWE

CWE-20

Published

11/6/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jwt-simple	npm	< 0.3.1	0.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from jwt-simple's decode function (lib/jwt.js) accepting algorithm specifications from untrusted JWT headers. The commit diff shows the patched version added an algorithm parameter to override header values. Pre-0.3.1 versions lacked this enforcement, matching CVE-2016-10555's description of algorithm choice being client-controlled. This allowed attackers to substitute asymmetric algorithms with symmetric ones using public keys as HMAC secrets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t** `jwt-simpl*` p**k*** *llow us*rs to s*l**t w**t *l*orit*m t** s*rv*r will us* to v*ri*y * provi*** JWT. * m*li*ious **tor **n us* t*is ****viour to *r*itr*rily mo*i*y t** *ont*nts o* * JWT w*il* still p*ssin* v*ri*i**tion. *o

Reasoning

T** vuln*r**ility st*ms *rom `jwt-simpl*`'s `***o**` *un*tion (`li*/jwt.js`) ****ptin* *l*orit*m sp**i*i**tions *rom untrust** JWT *****rs. T** *ommit *i** s*ows t** p*t**** v*rsion ***** *n *l*orit*m p*r*m*t*r to ov*rri** *****r v*lu*s. Pr*-*.*.* v*

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10555: Forgeable Public/Private Tokens in jwt-simple

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-10555:
Forgeable Public/Private Tokens in jwt-simple

Vulnerability Intelligence
Miggo AI