This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate jsonwebtoken


(6 total, 1 possibly insecure)

 base64^ to date
 pem^11.0.2up to date
 ring^ to date
 serde^ to date
 serde_json^ to date
 simple_asn1 ⚠️^ insecure

Dev dependencies

(2 total, all up-to-date)

 criterion^ to date
 time^ to date

Security Vulnerabilities

simple_asn1: Panic on incorrect date input to `simple_asn1`


Version 0.6.0 of the simple_asn1 crate panics on certain malformed inputs to its parsing functions, including from_der and der_decode. Because this crate is frequently used with inputs from the network, this should be considered a security vulnerability.

The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an attacker provides a UTCTime where the first character is ASCII but the second character is above 0x7f, a string slice operation in the from_der_ function will try to slice into the middle of a UTF-8 character, and cause a panic.

This error was introduced in commit d7d39d709577710e9dc8, which updated simple_asn1 to use time instead of chrono because of RUSTSEC-2020-159. Versions of simple_asn1 before 0.6.0 are not affected by this issue.

The patch was applied in simple_asn1 version 0.6.1.