### [CVE-2015-9235](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9235)
![](https://img.shields.io/static/v1?label=Product&message=jsonwebtoken%20node%20module&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C4.2.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Improper%20Input%20Validation%20(CWE-20)&color=brightgreen)

### Description

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/0x0806/JWT-Security-Assessment
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Claret-cyber/Container-Security-Report
- https://github.com/FloRRenn/java-web-project
- https://github.com/HiitCat/JWT-SecLabs
- https://github.com/MR-SS/challenge
- https://github.com/NguyenLy203/Java_project
- https://github.com/NicolasYPS/Agente_IA_Detector_Vuln_Arq
- https://github.com/Nucleware/powershell-jwt
- https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion
- https://github.com/aalex954/jwt-key-confusion-poc
- https://github.com/achmadismail173/jwt_exploit
- https://github.com/armor-code/acsdk
- https://github.com/capstone-cy-team-1/vuln-web-app
- https://github.com/ere6u5/-containerization-security-assessment-
- https://github.com/google/pseudo-identity-provider
- https://github.com/guchangan1/All-Defense-Tool
- https://github.com/manojsgithub/-armor-code-acsdk-
- https://github.com/mxcezl/JWT-SecLabs
- https://github.com/phramz/tc2022-jwt101
- https://github.com/suddenabnormalsecrets/pseudo-identity-provider
- https://github.com/vivekghinaiya/JWT_hacking
- https://github.com/whoami13apt/tool-
- https://github.com/z-bool/Venom-JWT