{"api_version":"1","generated_at":"2026-05-13T09:19:57+00:00","cve":"CVE-2022-25898","urls":{"html":"https://cve.report/CVE-2022-25898","api":"https://cve.report/api/cve/CVE-2022-25898.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-25898","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-25898"},"summary":{"title":"CVE-2022-25898","description":"The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2022-07-01 20:15:00","updated_at":"2022-07-13 19:01:00"},"problem_types":["CWE-347"],"metrics":[],"references":[{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Improper Verification of Cryptographic Signature in org.webjars.npm:jsrsasign | CVE-2022-25898 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Improper Verification of Cryptographic Signature in org.webjars.bowergithub.kjur:jsrsasign | CVE-2022-25898 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/kjur/jsrsasign/releases/tag/10.5.25","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Release CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Improper Verification of Cryptographic Signature in org.webjars.bower:jsrsasign | CVE-2022-25898 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41","name":"N/A","refsource":"CONFIRM","tags":[],"title":"CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign@4536a6e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Improper Verification of Cryptographic Signature in jsrsasign | CVE-2022-25898 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-25898","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25898","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Adi Malyanker","lang":""},{"source":"LEGACY","value":"Or David","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"25898","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jsrsasign_project","cpe5":"jsrsasign","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2022-07-01T20:00:02.599918Z","ID":"CVE-2022-25898","STATE":"PUBLIC","TITLE":"Improper Verification of Cryptographic Signature"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"jsrsasign","version":{"version_data":[{"version_affected":"<","version_value":"10.5.25"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Verification of Cryptographic Signature"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122","name":"https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122"},{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896","name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896"},{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897","name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897"},{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898","name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898"},{"refsource":"MISC","url":"https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41","name":"https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41"},{"refsource":"MISC","url":"https://github.com/kjur/jsrsasign/releases/tag/10.5.25","name":"https://github.com/kjur/jsrsasign/releases/tag/10.5.25"}]},"description":{"description_data":[{"lang":"eng","value":"The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H/E:P","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"}},"credit":[{"lang":"eng","value":"Adi Malyanker"},{"lang":"eng","value":"Or David"}]},"nvd":{"publishedDate":"2022-07-01 20:15:00","lastModifiedDate":"2022-07-13 19:01:00","problem_types":["CWE-347"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*","versionStartIncluding":"4.8.0","versionEndExcluding":"10.5.25","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}