CVE-2025-65945
Improper Signature Verification vulnerability in jws (npm)
What is CVE-2025-65945 About?
An improper signature verification vulnerability exists in auth0/node-jws when using the HS256 algorithm under specific conditions. It allows attackers to bypass signature validation, potentially leading to unauthorized access or privilege escalation. Exploitation is possible if specific preconditions related to API usage and user-provided data are met.
Affected Software
- jws
- >=4.0.0, <4.0.1
- <3.2.3
Technical Details
This vulnerability is an Improper Signature Verification flaw that affects auth0/node-jws versions <=3.2.2 || 4.0.0 when the jws.createVerify() function is used for HMAC algorithms (specifically HS256) AND the application uses user-provided data from the JSON Web Signature (JWS) Protected Header or Payload in HMAC secret lookup routines. The flaw means that under these conditions, the verification process can be manipulated or bypassed, allowing an attacker to craft a JWS token that appears legitimate but has not been signed with the correct secret, thus passing signature verification checks.
What is the Impact of CVE-2025-65945?
Successful exploitation may allow attackers to bypass security mechanisms, gain unauthorized access, or elevate privileges, potentially leading to data compromise or system control.
What is the Exploitability of CVE-2025-65945?
Exploitation requires remote access, as an attacker would typically submit a crafted JWS token to a vulnerable application. No authentication is explicitly required for the attacker to submit the token, but the vulnerability's impact often relates to gaining unauthorized access where authentication is normally enforced. Privilege requirements are related to the access conferred by a successfully forged token. The complexity is moderate, requiring an understanding of JWS token structures and careful manipulation of headers or payload data to interfere with secret lookup. Special conditions dictate exploitation: the application must use jws.createVerify() for HMAC algorithms (like HS256) AND incorporate user-provided JWS header/payload data into its secret lookup. The primary risk factor is the application's reliance on createVerify() with dynamic secret lookup logic involving untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-65945?
About the Fix from Resolved Security
The patch explicitly checks for a missing secret (null or undefined) when using HMAC algorithms (those starting with "HS") in both signing and verification, throwing a TypeError if the secret is absent. This ensures that for CVE-2025-65945, attackers cannot bypass authentication by omitting the secret, preventing unauthorized creation or acceptance of forged tokens.
Available Upgrade Options
- jws
- <3.2.3 → Upgrade to 3.2.3
- jws
- >=4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/auth0/node-jws/releases/tag/v4.0.1
- https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
- https://github.com/auth0/node-jws
- https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
- https://nvd.nist.gov/vuln/detail/CVE-2025-65945
- https://github.com/auth0/node-jws/releases/tag/v3.2.3
- https://osv.dev/vulnerability/GHSA-869p-cjfg-cm3x
- https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
- https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6
- https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
What are Similar Vulnerabilities to CVE-2025-65945?
Similar Vulnerabilities: CVE-2023-XXXXX , CVE-2022-YYYYY , CVE-2021-ZZZZZ , CVE-2020-AAAAA , CVE-2019-BBBBB
