CVE-2020-15084 HIGH

CVE-2020-15084: Authorization bypass in express-jwt

Vendor Auth0
Product express-jwt
Weakness CWE-285
Published June 30, 2020
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

Key dates

02Disclosure timeline

June 30, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-3569 JamesZBL/code-projects db-hospital-drug ShiroConfig.java improper authorization CVE-2025-65029 Rallly Has an IDOR Vulnerability in Participant Deletion Endpoint Allows Unauthorized Removal of Poll Participants CVE-2021-22861 Improper access control in GitHub Enterprise Server leading to unauthorized write access to forkable repositories CVE-2026-40247 free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions CVE-2025-3924 PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Unauthenticated Email Enumeration