Headline
GHSA-869p-cjfg-cm3x: auth0/node-jws Improperly Verifies HMAC Signature
Overview
An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions.
Am I Affected?
You are affected by this vulnerability if you meet all of the following preconditions:
- Application uses the auth0/node-jws implementation of JSON Web Signatures, versions <=3.2.2 || 4.0.0
- Application uses the jws.createVerify() function for HMAC algorithms
- Application uses user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines
You are NOT affected by this vulnerability if you meet any of the following preconditions:
- Application uses the jws.verify() interface (note:
auth0/node-jsonwebtokenusers fall into this category and are therefore NOT affected by this vulnerability) - Application uses only asymmetric algorithms (e.g. RS256)
- Application doesn’t use user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines
Fix
Upgrade auth0/node-jws version to version 3.2.3 or 4.0.1
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-65945
auth0/node-jws Improperly Verifies HMAC Signature
High severity GitHub Reviewed Published Dec 4, 2025 in auth0/node-jws • Updated Dec 4, 2025
Affected versions
< 3.2.3
= 4.0.0
Patched versions
3.2.3
4.0.1
Description
Overview
An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions.
Am I Affected?
You are affected by this vulnerability if you meet all of the following preconditions:
- Application uses the auth0/node-jws implementation of JSON Web Signatures, versions <=3.2.2 || 4.0.0
- Application uses the jws.createVerify() function for HMAC algorithms
- Application uses user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines
You are NOT affected by this vulnerability if you meet any of the following preconditions:
- Application uses the jws.verify() interface (note: auth0/node-jsonwebtoken users fall into this category and are therefore NOT affected by this vulnerability)
- Application uses only asymmetric algorithms (e.g. RS256)
- Application doesn’t use user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines
Fix
Upgrade auth0/node-jws version to version 3.2.3 or 4.0.1
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
- GHSA-869p-cjfg-cm3x
- auth0/node-jws@34c45b2
- auth0/node-jws@4f6e73f
- https://github.com/auth0/node-jws/releases/tag/v3.2.3
- https://github.com/auth0/node-jws/releases/tag/v4.0.1
Published to the GitHub Advisory Database
Dec 4, 2025
EPSS score