Skip to content
QuantumScanPublic scan report

Repository

auth0/node-jwks-rsa

Scanned on Jun 19, 2026

72

Risk score/ 100

High risk

Summary

This JWKS-RSA library relies entirely on quantum-vulnerable algorithms (RSA, ECDSA, EdDSA) for JWT signature verification, which is core to its authentication functionality. All supported algorithms are vulnerable to quantum attacks using Shor's algorithm, putting any authentication system using this library at risk once quantum computers become viable.

Critical

0

High

25

Medium

0

Low

0

Top findings

  • HighECDSA

    src/integrations/config.js:10

    ML-DSA (CRYSTALS-Dilithium) or SLH-DSA (SPHINCS+)

    Raw evidence
    'ES512',
  • HighEd25519 / EdDSA

    src/integrations/config.js:11

    ML-DSA (CRYSTALS-Dilithium) or SLH-DSA

    Raw evidence
    'EdDSA'
  • HighJWT quantum-vulnerable algorithm

    tests/mocks/tokens.js:4

    HS256 (symmetric) or post-quantum signature schemes

    Raw evidence
    return jwt.sign(payload, key, { noTimestamp: true, algorithm: 'RS256', header: { alg: 'RS256', kid } });
  • Highsecp256k1 (Bitcoin curve)

    tests/utils.tests.js:12

    Raw evidence
    crv: 'secp256k1',
  • HighRSA

    src/integrations/koa.js:20

    ML-KEM (CRYSTALS-Kyber) for key encapsulation

    Raw evidence
    resolve(key.publicKey || key.rsaPublicKey);

+ 20 more findings in the full report

Scan your own repository

Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.

Start a free scan