### [CVE-2015-9235](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9235)
![](https://img.shields.io/static/v1?label=Product&message=jsonwebtoken%20node%20module&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Improper%20Input%20Validation%20(CWE-20)&color=brighgreen)

### Description

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/MR-SS/challenge
- https://github.com/Nucleware/powershell-jwt
- https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion
- https://github.com/aalex954/jwt-key-confusion-poc
- https://github.com/capstone-cy-team-1/vuln-web-app
- https://github.com/mxcezl/JWT-SecLabs
- https://github.com/phramz/tc2022-jwt101
- https://github.com/vivekghinaiya/JWT_hacking