Does RequestGuard fix vulnerabilities in jsonwebtoken?

No. RequestGuard does not fix npm package vulnerabilities. Use package updates, patches, lockfile changes, and maintainer guidance for dependency remediation.

What does RequestGuard help with while a dependency is being remediated?

RequestGuard helps mitigate runtime abuse against exposed signup, checkout, login, form, and API flows with allow, challenge, review, and block decisions.

Does no OSV advisory mean the package is safe?

No. Missing OSV advisories only means no known advisory was returned by that source at the time checked. Continue auditing and monitoring dependencies.

npm vulnerability intelligence

jsonwebtoken NPM Package
Vulnerability Check

JSON Web Token implementation (symmetric and asymmetric)

Critical MIT v9.0.3

Vulnerability Analysis OSV Live

jsonwebtoken

v9.0.3 · MIT · 47,892,455 dl/wk

Advisory Breakdown

Critical 1

High 1

Moderate 2

Low 0

Severity Rating

Critical

4 advisories

Critical

Weekly downloads

47,892,455

Total advisories

Latest version

9.0.3

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

GHSA-8cf7-32gw-wr33 CVE-2022-23539 high

jsonwebtoken unrestricted key type could lead to legacy keys usage

Affected: >=0 <9.0.0 Fixed in: 9.0.0 Updated Jun 24, 2024

View source

GHSA-c7hr-j4mj-j2w6 CVE-2015-9235 critical

Verification Bypass in jsonwebtoken

Affected: >=0 <4.2.2 Fixed in: 4.2.2 Updated Feb 4, 2026

View source

GHSA-hjrf-2m68-5959 CVE-2022-23541 moderate

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Affected: >=0 <9.0.0 Fixed in: 9.0.0 Updated Jun 24, 2024

View source

GHSA-qwph-4952-7xr6 CVE-2022-23540 moderate

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Affected: >=0 <9.0.0 Fixed in: 9.0.0 Updated Feb 13, 2025

View source

Checked Jun 15, 2026, 11:33 AM from npm and OSV.dev

Package metadata

From the npm registry

Package name: jsonwebtoken
Ecosystem: npm
Latest version: 9.0.3
License: MIT
Weekly downloads: 47,892,455
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/15/2026, 11:33:31 AM

Lookups

Domain Radar

Email Risk

Traffic Abuse

Lookups

Domain Radar

Email Risk

Traffic Abuse

jsonwebtoken NPM Package
Vulnerability Check

Known advisories

Package metadata

Remediation boundary

Lookups

Domain Radar

Email Risk

Traffic Abuse

jsonwebtoken NPM PackageVulnerability Check

Known advisories

Package metadata

Remediation boundary

jsonwebtoken NPM Package
Vulnerability Check