CVE-2025-65945 is a vulnerability in the auth0/node-jws library, a popular JSON Web Signature implementation for Node.js. The issue arises in versions earlier than 3.2.3 and between 4.0.0 and 4.0.1, specifically when using the HS256 HMAC algorithm. The vulnerability is due to improper verification of cryptographic signatures caused by the use of user-provided data from the JWT header or payload in the HMAC secret lookup process within the jws.createVerify() function. This improper verification allows an attacker to bypass signature validation, effectively enabling them to forge JWTs that the application would accept as valid. The flaw is categorized under CWE-347, which relates to improper verification of cryptographic signatures. The vulnerability does not require any privileges or user interaction to exploit and can be triggered remotely over the network. The impact is primarily on the integrity of the system, as attackers can manipulate tokens to gain unauthorized access or escalate privileges. The vulnerability has been addressed in versions 3.2.3 and 4.0.1 of the node-jws library. No known exploits are currently reported in the wild, but the high CVSS score of 7.5 indicates a serious risk if left unpatched. This vulnerability is particularly critical for applications relying on JWTs for authentication and authorization, as it undermines the trustworthiness of token validation.

For European organizations, the impact of CVE-2025-65945 can be significant, especially for those using Node.js applications that depend on the auth0/node-jws library for JWT handling. The ability to bypass signature verification compromises the integrity of authentication tokens, potentially allowing attackers to impersonate users, escalate privileges, or access sensitive resources without authorization. This can lead to data breaches, unauthorized transactions, and disruption of services. Sectors such as finance, healthcare, government, and critical infrastructure, which often rely on JWTs for secure access control, are particularly vulnerable. The vulnerability's network exploitability and lack of required privileges increase the risk of widespread exploitation if attackers discover vulnerable targets. Additionally, compromised tokens can undermine compliance with data protection regulations like GDPR, leading to legal and reputational consequences. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the risk remains high due to the ease of exploitation and the critical role of JWTs in modern web applications.

1. Immediately upgrade the auth0/node-jws library to version 3.2.3 or later, or 4.0.1 or later, to apply the official patch addressing this vulnerability. 2. Audit all applications using node-jws to identify usage of jws.createVerify() with HMAC algorithms, ensuring that secret keys are not derived from user-controlled data such as JWT headers or payloads. 3. Implement strict validation and sanitization of any input used in cryptographic operations to prevent manipulation of secret lookup routines. 4. Review and enhance JWT handling logic to enforce strict signature verification policies and reject tokens with unexpected or malformed headers and payloads. 5. Employ runtime application self-protection (RASP) or Web Application Firewall (WAF) rules to detect and block suspicious JWTs or anomalous authentication attempts. 6. Conduct penetration testing and code reviews focused on JWT authentication flows to identify and remediate similar cryptographic verification weaknesses. 7. Educate development teams on secure JWT usage patterns and the risks of using user input in cryptographic key management. 8. Monitor security advisories and threat intelligence feeds for any emerging exploits targeting this vulnerability to respond promptly.