CVE-2025-65945
📋 TL;DR
This vulnerability allows attackers to bypass JSON Web Signature verification in auth0/node-jws when using HMAC algorithms. Applications are affected if they use user-provided data from JWS headers or payloads in HMAC secret lookup routines. This can lead to authentication bypass and unauthorized access.
💻 Affected Systems
- auth0/node-jws
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to forge valid JWTs, impersonate users, and gain unauthorized access to protected resources and systems.
Likely Case
Authentication bypass in applications that rely on JWS verification for API security, potentially exposing sensitive data or allowing privilege escalation.
If Mitigated
Limited impact if applications use proper key management and don't rely on user-provided data for secret lookup, with monitoring detecting anomalous JWT usage.
🎯 Exploit Status
Exploitation requires specific application configuration where user-controlled data influences HMAC secret selection. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.3 and 4.0.1
Vendor Advisory: https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x
Restart Required: Yes
Instructions:
1. Update node-jws package to version 3.2.3 or 4.0.1 using npm update node-jws. 2. Restart all Node.js applications using the library. 3. Test JWS verification functionality after update.
🔧 Temporary Workarounds
Avoid user-controlled secret lookup
allModify application code to not use user-provided data from JWS headers or payload when determining HMAC secrets
Use alternative JWS library
allTemporarily switch to a different JWS implementation like jsonwebtoken while waiting to patch
npm uninstall node-jws
npm install jsonwebtoken
🧯 If You Can't Patch
- Implement strict input validation on JWS headers and payload to reject suspicious patterns
- Add additional authentication layers and monitor for anomalous JWT usage patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json for node-jws version and verify if application uses jws.createVerify() with HMAC algorithms and user-controlled data in secret lookup.Check Version:
npm list node-jws | grep node-jwsVerify Fix Applied:
Verify node-jws version is 3.2.3 or higher (for v3) or 4.0.1 or higher (for v4) using npm list node-jws📡 Detection & Monitoring
Log Indicators:
- Failed JWS verification attempts followed by successful authentication
- Unusual JWT header patterns
- Multiple authentication attempts with similar but varying JWTs
Network Indicators:
- Unusual API authentication patterns
- Requests with malformed or suspicious JWS headers
SIEM Query:
source="application_logs" AND ("jws.createVerify" OR "HMAC verification") AND (status="success" AFTER status="failure")