> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > Describes CVE-2022-23539, CVE-2022-23541, CVE-2022-23540 security update for JSON web token library. # CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken **Published**: Dec 21, 2022 **CVE numbers**: CVE-2022-23539, CVE-2022-23541, CVE-2022-23540 ### Overview Auth0 has released a new major version of the `jsonwebtoken` library to address four vulnerabilities. We recommend you review the following security advisories and upgrade to the new major version: * Unrestricted key type could lead to legacy keys usage: [CVE-2022-23539](https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33) * Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC: [CVE-2022-23541](https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959) * Insecure default algorithm in jwt.verify() could lead to signature validation bypass: [CVE-2022-23540](https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6) ### Am I affected? You could be affected if you are using `jsonwebtoken` in any version \<= 8.5.1 depending on the configuration. Please consult the individual security advisories for more details. ### How to fix that? If you are using `jsonwebtoken`, upgrade to version 9.0.0 or higher. You may need some additional configuration. Please consult the individual security advisories for more details. ### Will this update impact my users? Updating to version 9.0.0 may impact your users depending on your configuration and application needs. Please consult the individual security advisories for more details.