CVE-2016-10555
Authentication Bypass vulnerability in jwt-simple (npm)
What is CVE-2016-10555 About?
This vulnerability in the `jwt-simple` package allows for an authentication bypass due to an attacker's ability to dictate the algorithm used for JWT verification. Attackers can modify JWT contents and still pass verification, leading to unauthorized access. Exploitation is straightforward given control over the algorithm parameter.
Affected Software
Technical Details
Affected versions of the jwt-simple package allow users to specify the algorithm for JWT verification, typically through an unvalidated parameter within the JWT header or through an API call. A malicious actor can exploit this by specifying a 'none' algorithm (or a weak algorithm) in the JWT header. If the server-side verification logic uses this user-supplied algorithm, it will verify the JWT without any signature checking, effectively allowing the attacker to arbitrarily modify the payload of the JWT, such as user IDs or roles, and still have it considered valid. This results in a complete authentication bypass.
What is the Impact of CVE-2016-10555?
Successful exploitation may allow attackers to bypass authentication mechanisms, impersonate legitimate users, gain unauthorized access to sensitive functionality, and potentially escalate privileges.
What is the Exploitability of CVE-2016-10555?
Exploitation is of low complexity. It typically requires remote access, where an attacker intercepts or crafts a JWT and modifies its header to specify a 'none' algorithm. No prior authentication is explicitly needed for the attack itself, as its purpose is to bypass authentication, but the attacker needs to be able to submit a JWT for processing. The primary prerequisite is an application using jwt-simple that does not explicitly specify a verification algorithm, or trusts the algorithm provided in the JWT header. Risk factors include widespread use of JWT tokens for session management and API authentication.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| z-bool | Link | 针对JWT渗透开发的漏洞验证/密钥爆破工具,针对CVE-2015-9235/空白密钥/未验证签名攻击/CVE-2016-10555/CVE-2018-0114/CVE-2020-28042的结果生成用于FUZZ,也可使用字典/字符枚举(包括JJWT)的方式进行爆破(JWT Crack) |
| CircuitSoul | Link | Change the algorithm RS256(asymmetric) to HS256(symmetric) - POC (CVE-2016-10555) |
| scent2d | Link | CVE-2016-10555 PoC code |
What are the Available Fixes for CVE-2016-10555?
Available Upgrade Options
- jwt-simple
- <0.3.1 → Upgrade to 0.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://nodesecurity.io/advisories/87
- https://github.com/hokaccha/node-jwt-simple/pull/16
- https://github.com/hokaccha/node-jwt-simple/pull/14
- https://github.com/hokaccha/node-jwt-simple/pull/14
- https://github.com/hokaccha/node-jwt-simple/pull/16
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- https://nvd.nist.gov/vuln/detail/CVE-2016-10555
- https://osv.dev/vulnerability/GHSA-vgrx-w6rg-8fqf
- https://github.com/hokaccha/node-jwt-simple/commit/957957cfa44474049b4603b293569588ee9ffd97
What are Similar Vulnerabilities to CVE-2016-10555?
Similar Vulnerabilities: CVE-2022-26162 , CVE-2022-25911 , CVE-2023-28155 , CVE-2023-38435 , CVE-2023-26154
