auth0/node-jws is a JSON Web Signature implementation for Node.js. In essence, it's used to verify the authenticity and integrity of data transmitted over the internet. The vulnerability in this software allows attackers to bypass signature verification, potentially leading to unauthorized access or manipulation of sensitive data.
Affected versions: 3.2.2 If you don't recognise this software, you're probably not affected.
To fix this issue, upgrade to auth0/node-jws versions 3.2.3 or later and 4.0.1 or later. You can do this by running the following command in your terminal: npm install auth0/node-jws@latest. Alternatively, you can apply immediate mitigations:
- Set the verifyOptions option to { verifySignature: false } when creating a new signature.
- Use the verifyOptions option with verifySignature: true only for trusted sources.