Fix jjwt — CVE-2022-21449 CRITICAL
Fix CVE-2022-21449 (CRITICAL) in jjwt for Java/Maven. Paste your pom.xml into PackageFix and get a patched version — no CLI, no signup. Ecdsa signature verification bypass (psychic signatures).
🔴 CISA KEV — jjwt appears on the CISA Known Exploited Vulnerabilities catalog. Actively exploited in the wild. Fix immediately.
⚠ Vulnerability
CVE-2022-21449 (CRITICAL) — ECDSA signature verification bypass (Psychic Signatures) in jjwt below 0.12.5.
Vulnerable — pom.xml
0.11.5
Fixed — pom.xml
0.12.5
✓ Fix
Update jjwt to 0.12.5 and run mvn dependency:resolve.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2022-21449 |
| Severity | CRITICAL |
| Package | jjwt (Java/Maven) |
| Safe version | 0.12.5 |
| CISA KEV | 🔴 Yes |
| Description | Ecdsa signature verification bypass (psychic signatures) |
Frequently Asked Questions
What is CVE-2022-21449?
CVE-2022-21449 is a CRITICAL severity vulnerability in jjwt (Java/Maven) that allows ECDSA signature verification bypass (Psychic Signatures). Update to 0.12.5 or later.
How do I fix CVE-2022-21449 in jjwt?
Update jjwt to version 0.12.5 in your pom.xml and run mvn dependency:resolve.
Is CVE-2022-21449 being actively exploited?
Yes — it appears on the CISA KEV catalog. Fix immediately.
How do I verify the fix for CVE-2022-21449?
After updating, paste your pom.xml into PackageFix again. If CVE-2022-21449 no longer appears in the CVE table, the fix is applied.