CVE-2022-23540 — jsonwebtoken Algorithm Confusion CRITICAL
🔴 CISA KEV
npm
CVSS 9.8 · jsonwebtoken < 9.0.0 → 9.0.0
jsonwebtoken before 9.0.0 allows attackers to forge tokens by exploiting algorithm confusion — when the verifier accepts multiple algorithms, an attacker can switch to a weaker algorithm or the 'none' algorithm to bypass verification entirely.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| jsonwebtoken | npm | < 9.0.0 | 9.0.0 | Full fix guide → |
How to fix CVE-2022-23540
- Update jsonwebtoken to 9.0.0
- Run npm install
- Always pass algorithms explicitly: jwt.verify(token, secret, {algorithms: ['HS256']})
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2022-23540 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is algorithm confusion in JWT?
Algorithm confusion occurs when a JWT library accepts tokens signed with unexpected algorithms. An attacker can forge a token signed with 'none' (no signature) or switch to a weaker algorithm the attacker can compute.
Is this on CISA KEV?
Yes — CVE-2022-23540 is on the CISA Known Exploited Vulnerabilities catalog. Authentication bypass via JWT forgery is being actively exploited.
How do I make my JWT verification safe?
Always pass an explicit algorithms array to jwt.verify(). Never pass the algorithm from the token header itself — always use your own hardcoded list.