GMS-2020-402: Out-of-bounds Read in njwt

September 1, 2020 (updated September 24, 2021)

Versions of njwt are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function.

On Node.js or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.

References

github.com/advisories/GHSA-g3qw-9pgp-xpj4
hackerone.com/reports/321704
www.npmjs.com/advisories/679

Code Behaviors & Features

Detect and mitigate GMS-2020-402 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →