CVE-2025-65945 is a vulnerability in the auth0/node-jws library, a widely used JSON Web Signature implementation for Node.js. The flaw exists in versions 3.2.2 and earlier, as well as versions 4.0.0 and 4.0.1, specifically when using the HS256 HMAC algorithm. The vulnerability arises because the jws.createVerify() function improperly verifies signatures if the application uses user-supplied data from the JWS header or payload to determine the HMAC secret key. This improper verification allows attackers to bypass signature validation, effectively forging tokens or tampering with signed data without detection. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). Exploitation requires no privileges or user interaction and can be performed remotely by crafting malicious tokens. The impact is primarily on integrity, as attackers can impersonate users or escalate privileges by forging JWTs. No known exploits are currently reported in the wild. The issue was addressed by the vendor in versions 3.2.3 and 4.0.1 by correcting the verification logic to prevent user input from influencing secret key selection during signature verification.

For European organizations, this vulnerability poses a significant risk to the integrity of authentication and authorization mechanisms relying on JWTs signed with the vulnerable node-jws versions. Attackers could forge tokens to impersonate users, escalate privileges, or bypass access controls, potentially leading to unauthorized data access, fraudulent transactions, or disruption of services. Sectors such as finance, healthcare, government, and critical infrastructure that depend on secure token-based authentication are particularly vulnerable. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the threat surface. Although confidentiality and availability are not directly impacted, the integrity compromise can cascade into broader security breaches and compliance violations under GDPR and other regulations. Organizations using affected versions in production environments must prioritize remediation to prevent exploitation.

1. Immediately upgrade all instances of auth0/node-jws to versions 3.2.3 or later, or 4.0.2 and above, where the vulnerability is patched. 2. Audit application code to ensure that secret keys used for HMAC verification are not derived from user-controlled data, especially from JWT headers or payloads. 3. Implement strict input validation and sanitization for any data involved in cryptographic operations. 4. Review and enhance logging and monitoring to detect anomalous JWT usage or authentication failures that could indicate exploitation attempts. 5. Conduct penetration testing focusing on JWT forgery and signature bypass scenarios. 6. Educate development teams about secure JWT handling practices, emphasizing the risks of using user input in cryptographic key material. 7. Consider adopting alternative, well-maintained JWT libraries with robust security track records if feasible. 8. Maintain an inventory of all applications and services using node-jws to ensure comprehensive patching and risk assessment.