Critical Vulnerability in auth0/node-jws: CVE-2025-65945 Allows Signature Bypass

Overview

CVE-2025-65945 identifies a high-severity vulnerability in the auth0/node-jws library, a JSON Web Signature (JWS) implementation for Node.js. This vulnerability, affecting versions 3.2.2 and earlier, as well as version 4.0.0, could allow attackers to bypass signature verification when using the HS256 algorithm under specific conditions.

This article provides a detailed analysis of the vulnerability, including technical details, its potential impact, and recommended mitigation steps.

Technical Details

The vulnerability stems from improper signature verification within the jws.createVerify() function when used for HMAC algorithms (like HS256). Specifically, the issue arises when:

• Applications utilize jws.createVerify() with HMAC algorithms.
• User-provided data from the JSON Web Signature protected header or payload is used in HMAC secret lookup routines.

Under these conditions, a malicious actor can manipulate the header or payload to influence the secret used in the HMAC calculation, effectively bypassing the signature verification process.

The fix involves improved validation and handling of the secret lookup process within the jws.createVerify() function to prevent malicious influence from user-provided data.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 7.5, indicating a HIGH severity.

• CVSS Score: 7.5
• Severity: HIGH

This high score reflects the potential for attackers to completely bypass signature verification, leading to significant security implications.

Possible Impact

A successful exploitation of CVE-2025-65945 can have severe consequences:

• Authentication Bypass: Attackers could forge valid JWS tokens, gaining unauthorized access to protected resources and functionalities.
• Data Manipulation: Malicious actors could alter data within the JWS payload without detection, potentially leading to data corruption or unauthorized modifications.
• Privilege Escalation: In scenarios where JWS tokens are used for authorization, attackers could escalate their privileges by forging tokens with elevated permissions.

Mitigation and Patch Steps

To mitigate the risk posed by CVE-2025-65945, it is strongly recommended to update the auth0/node-jws library to the patched versions:

• Upgrade to version 3.2.3 or later for the 3.x branch.
• Upgrade to version 4.0.1 or later for the 4.x branch.

You can update the library using npm:

npm install node-jws@latest

Ensure you thoroughly test your application after the update to confirm compatibility and proper functionality.

References

• GitHub Commit (Patch): https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e
• GitHub Security Advisory: https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x