Skip to content

Commit 954bd7a

Browse files
posepose
committed
Update CHANGELOG.md
1 parent 24a3700 commit 954bd7a

File tree

1 file changed

+5
-6
lines changed

1 file changed

+5
-6
lines changed

CHANGELOG.md

+5-6
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
2020
### Security
2121

2222
- [asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key.
23-
24-
This was a vulnerability in this module: When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family).
25-
26-
The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`).
27-
28-
This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`)
23+
When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family).
24+
25+
The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`).
26+
27+
This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`)
2928
https://github.com/auth0/node-jsonwebtoken/commit/c2bf7b2cd7e8daf66298c2d168a008690bc4bdd3
3029
https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
3130

0 commit comments

Comments
 (0)