CVE-2020-15084: Authorization bypass in express-jwt
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.20153%
CWE
Published
6/30/2020
Updated
2/2/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
express-jwt | npm | <= 5.3.3 | 6.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing algorithm enforcement in the core middleware setup. The commit diff shows critical validation
was added in lib/index.js
(lines 22-24) to make 'algorithms' required. Before this fix, the function processing()
JWT configuration didn't validate the presence of the 'algorithms' array, which is essential for preventing algorithm confusion attacks when using JWKS-based verification. This matches the CVE description of authorization bypass through missing algorithm restrictions.