[vulnerabilities][high] jsonwebtoken has insecure input validation in jwt.verify function
Problem
New jsonwebtoken vulnerability has been published. https://github.com/advisories/GHSA-27h2-hvpr-p74q
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Solution: [vulnerabilities][high] jsonwebtoken has insecure input validation in jwt.verify function
twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned. We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drop
Trust Score
3 verifications
- 1
twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9.
twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.
- 2
We have a twilio-node v4 release candidate available here https://github.com/twi
We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now). I’ll update the PR to upgrade jsonwebtoken to v9 for the v4 release candidate anyway.
Validation
Resolved in twilio/twilio-node GitHub issue #846. Community reactions: 4 upvotes.
Verification Summary
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep