How to fix EUVD-2025-201250?

Within 24 hours: Identify all applications and services using auth0/node-jws versions 3.2.2 or earlier, and version 4.0.0; assess whether jws.createVerify() is used with HS256 algorithms. Within 7 days: Deploy patches to upgrade to versions 3.2.3 or 4.0.1 across all affected systems, beginning with production authentication infrastructure. Within 30 days: Conduct security testing and log analysis to determine if this vulnerability was exploited; rotate any JWT secrets or signing keys as a precaution.

Is Node.js affected by EUVD-2025-201250?

A signature verification bypass vulnerability exists in the auth0/node-jws library that could allow attackers to forge valid JSON Web Tokens, potentially leading to unauthorized authentication and data access.

EUVD-2025-201250

| CVE-2025-65945 HIGH

2025-12-04 [email protected]

GHSA-869p-cjfg-cm3x

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:35 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:35 euvd

EUVD-2025-201250

Patch Released

Mar 15, 2026 - 16:35 nvd

Patch available

CVE Published

Dec 04, 2025 - 19:16 nvd

HIGH 7.5

Description

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Analysis

Technical Context

This vulnerability is classified as Improper Verification of Cryptographic Signature (CWE-347).

Affected Products

Affected products: Auth0 Node-Jws

Remediation

A vendor patch is available. Apply it as soon as possible and verify the fix.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

Vendor Status

EUVD-2025-201250 vulnerability details – vuln.today

Back

EUVD-2025-201250

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

EUVD-2025-201250

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code