kjur
diff --git a/‎ChangeLog.txt
Lines changed: 13 additions & 0 deletions b/‎ChangeLog.txt
Lines changed: 13 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 2 additions & 1 deletion b/‎README.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/files.html
Lines changed: 2 additions & 2 deletions b/‎api/files.html
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/symbols/global__.html
Lines changed: 70 additions & 0 deletions b/‎api/symbols/global__.html
Lines changed: 70 additions & 0 deletions
@@ -1,6 +1,19 @@
 
 ChangeLog for jsrsasign
 
+CVE-2022-25898 Security fix in JWS and JWT validation
+* Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
+  - src/jws.js
+    - JWS.verify and JWS.verifyJWT
+      - CVE-2022-25898 SECURITY FIX: 
+        verify and verifyJWT may accept signature with special characters 
+        or \number characters by mistake.
+        Please see security advisory:
+        https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf
+  - src/base64x.js
+    - function isBase64URLDot added
+  - test/qunit-do-jwt-veri.html
+
 X509.getParam bugfix for v1 certificate
 * Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
   - src/x509.js
 
@@ -39,7 +39,7 @@ HIGHLIGHTS
 - no dependency to other library
 - no dependency to [W3C Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/) nor [OpenSSL](https://www.openssl.org/)
 - no dependency on newer ECMAScirpt function. So old browsers also supported. 
-- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-01)
+- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-20)
 
 INSTALL
 -------
@@ -78,6 +78,7 @@ MORE TUTORIALS AND SAMPLES
 
 |published|fixed version|title/advisory|CVE|CVSS|
 |:---|:---|:---|:---|:---|
+|2022Jun24|10.5.25|[JWS and JWT signature validation vulnerability with special characters](https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf)|CVE-2022-25898|?|
 |2021Apr14|10.2.0|[RSA signature validation vulnerability on maleable encoded message](https://github.com/kjur/jsrsasign/security/advisories/GHSA-27fj-mc8w-j9wg)|CVE-2021-30246|9.1|
 |2020Jun22|8.0.19|[ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding](https://github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963)|CVE-2020-14966|5.5|
 |2020Jun22|8.0.18|[RSA RSAES-PKCS1-v1_5 and RSA-OAEP decryption vulnerability with prepending zeros](https://github.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g4)|CVE-2020-14967|4.8|
 
@@ -681,7 +681,7 @@ <h2><a href="symbols/src/base64x-1.1.js.html">base64x-1.1.js</a></h2>
 
 
 						<dt class="heading">Version:</dt>
-							<dd>jsrsasign 10.5.23 base64x 1.1.29 (2022-May-27)</dd>
+							<dd>jsrsasign 10.5.25 base64x 1.1.30 (2022-Jun-23)</dd>
 
 
 
@@ -776,7 +776,7 @@ <h2><a href="symbols/src/jws-3.3.js.html">jws-3.3.js</a></h2>
 
 
 						<dt class="heading">Version:</dt>
-							<dd>jsrsasign 8.0.3 jws 3.3.11 (2018-Mar-11)</dd>
+							<dd>jsrsasign 10.5.25 jws 3.3.12 (2022-Jun-23)</dd>
 
 
 
 
@@ -879,6 +879,16 @@ <h1 class="classTitle">
 							</td>
 						</tr>
 
+						<tr>
+							<td class="attributes">&lt;static&gt; &nbsp;</td>
+							<td class="nameDescription">
+								<div class="fixedFont"><b><a href="../symbols/global__.html#.isBase64URLDot">isBase64URLDot</a></b>(s)
+								</div>
+								<div class="description">check whether a string is a base64url encoded string and dot or not<br/>
+Input string can conclude new lines or space characters.</div>
+							</td>
+						</tr>
+					
 						<tr>
 							<td class="attributes">&lt;static&gt; &nbsp;</td>
 							<td class="nameDescription">
@@ -3184,6 +3194,66 @@ <h1 class="classTitle">
 
 
 
+					<hr />
+				
+					<a name=".isBase64URLDot"> </a>
+					<div class="fixedFont">&lt;static&gt; 
+					
+					<span class="light">{Boolean}</span>
+					<b>isBase64URLDot</b>(s)
+					
+					</div>
+					<div class="description">
+						check whether a string is a base64url encoded string and dot or not<br/>
+Input string can conclude new lines or space characters.
+						
+							<br />
+							<i>Defined in: </i> <a href="../symbols/src/base64x-1.1.js.html">base64x-1.1.js</a>.
+						
+						
+					</div>
+					
+					
+					
+					<pre class="code">isBase64URLDot("YWE") &rarr; true
+isBase64URLDot("YWE.YWE.YWE") &rarr; true
+isBase64URLDot("YW-") &rarr; true
+isBase64URLDot("YW+") &rarr; false</pre>
+					
+					
+					
+						
+							<dl class="detailList">
+							<dt class="heading">Parameters:</dt>
+							
+								<dt>
+									<span class="light fixedFont">{String}</span> <b>s</b>
+									
+								</dt>
+								<dd>input string</dd>
+							
+							</dl>
+						
+						
+						
+							<dl class="detailList">
+							<dt class="heading">Since:</dt>
+								<dd>base64x 1.1.30 jsrsasign 10.5.25</dd>
+							</dl>
+							</dl>
+						
+						
+						
+							<dl class="detailList">
+							<dt class="heading">Returns:</dt>
+							
+								<dd><span class="light fixedFont">{Boolean}</span> true if a string "s" is a base64url encoded string and dot otherwise false</dd>
+							
+							</dl>
+						
+						
+						
+
 					<hr />
 
 					<a name=".ishex"> </a>