app-search-node icon indicating copy to clipboard operation
app-search-node copied to clipboard
verified publisher icon elastic

Fix jsonwebtoken <=8.5.1 security issue

Open Amine27 opened this issue 3 years ago • 0 comments

Hi,

Can you please fix the security issue of jsonwebtoken package by updating it to v9.0.0. There is no break change AFAIK.

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
No fix available
node_modules/jsonwebtoken
  @elastic/app-search-node  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@elastic/app-search-node

2 vulnerabilities (1 moderate, 1 high)

Thank you.

Amine27 avatar Jan 01 '23 17:01 Amine27