Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-65945

Good to know:

icon
icon

Date: December 4, 2025

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Severity Score

Related Resources (8)

https://nvd.nist.gov/vuln/detail/CVE-2025-65945
https://github.com/auth0/node-jws/releases/tag/v3.2.3
https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6
https://github.com/auth0/node-jws
https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
https://github.com/auth0/node-jws/releases/tag/v4.0.1
https://www.mend.io/vulnerability-database/CVE-2025-65945

Severity Score

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

icon

Upgrade Version

Upgrade to version jws - 3.2.3;jws - 4.0.1;https://github.com/auth0/node-jws.git - v4.0.1;https://github.com/auth0/node-jws.git - v3.2.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us