> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2020-15084: Security update for Express-jwt Library

# CVE-2020-15084: Security Update for express-jwt Library

**Published**: June 30, 2020

**CVE number**: CVE-2020-15084

**Credit**: IST Group

## Overview

Versions before and including 5.3.3, we are not enforcing the **algorithms** entry to be specified in the configuration.

When **algorithms** is not specified in the configuration, with the combination of jwks-rsa or potentially other asymmetric crypto libraries, it may lead to authorization bypass.

## Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

* You are using express-<Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=jwt">jwt</Tooltip>, AND
* You do not have **algorithms** configured in your express-jwt configuration, AND
* You are using libraries such as jwks-rsa as the **secret**.

## How to fix that?

Specify **algorithms** in the express-jwt configuration. The following is an example of a proper configuration:

```javascript lines theme={null}
const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://{DOMAIN}/.well-known/jwks.json`
  }),
  // Validate the audience and the issuer.
  audience: process.env.AUDIENCE,
  issuer: `https://{DOMAIN}/`,
  // restrict allowed algorithms
  algorithms: ['RS256']
});
```

## Will this update impact my users?

The fix provided in the patch will not affect your users if you specified the algorithms allowed. The patch now makes algorithms a required configuration.