[Bug] jsonwebtoken <=8.5.1 #127

buildpeak · 2022-12-22T10:17:15Z

npm audit fix error
jsonwebtoken <=8.5.1
Severity: high

To Reproduce
Steps to reproduce the behavior:

Run npm install fireblocks-sdk
Run npm audit fix
See below error:

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
No fix available
node_modules/jsonwebtoken
  fireblocks-sdk  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/fireblocks-sdk

Version:

fireblocks-sdk version: 2.5.3
npm version: 8.19.2
node version: v16.14.2

The text was updated successfully, but these errors were encountered:

yarinvak · 2023-02-10T15:34:49Z

Fixed in #132
Thanks for reporting

buildpeak added the bug Something isn't working label Dec 22, 2022

buildpeak assigned tomervil and yarinvak Dec 22, 2022

buildpeak changed the title ~~[Bug]~~ [Bug] jsonwebtoken <=8.5.1 Dec 22, 2022

yarinvak closed this as completed Feb 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] jsonwebtoken <=8.5.1 #127

[Bug] jsonwebtoken <=8.5.1 #127

buildpeak commented Dec 22, 2022

yarinvak commented Feb 10, 2023

[Bug] jsonwebtoken <=8.5.1 #127

[Bug] jsonwebtoken <=8.5.1 #127

Comments

buildpeak commented Dec 22, 2022

yarinvak commented Feb 10, 2023