Skip to content

[Aikido] Fix security issue in jws via minor version upgrade from 4.0.0 to 4.0.1#3

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-11459318-rnqX
Open

[Aikido] Fix security issue in jws via minor version upgrade from 4.0.0 to 4.0.1#3
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-11459318-rnqX

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Dec 5, 2025

Copy link
Copy Markdown

Upgrading jws to address vulnerabilities. This update contains breaking changes.

1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2025-65945
HIGH
### Overview
An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions.

### Am I Affected?
You are affected by this vulnerability if you meet all of the following preconditions:

1. Application uses the auth0/node-jws implem...
⚠️ Changelog indicates breaking changes.

Potential breaking changes by upgrading jws from version 4.0.0 to 4.0.1 (CHANGELOG)

Version Description
4.0.1
createSign and createVerify now require that a non-empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms

@ellipsis-dev ellipsis-dev Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipped PR review on a572a91 because no changed files had a supported extension. If you think this was in error, please contact us and we'll fix it right away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants