CVE-2025-65945

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-347"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65945.json"
}

References

Affected packages

Git / github.com/auth0/node-jws

Affected ranges

Type

GIT

Repo

https://github.com/auth0/node-jws

Events

Introduced

Fixed

4f6e73f24df42f07d632dec6431ade8eda8d11a6

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/auth0/node-jws

Events

Introduced

1389f6d3d018b2da4af0167f48e44f90d811ae87

Last affected

34c45b2c04434f925b638de6a061de9339c0ea2e

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.0.1"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v1.*

v1.0.0

v1.0.1

v2.*

v2.0.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.2.0

v3.2.1

v3.2.2

v4.*

v4.0.0

v4.0.1