Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23529: Insecure input validation in jwt.verify function

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control. This issue has been fixed, please update to version 9.0.0.

CVE
Open in Source
#web#mac#nodejs#js#rce

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

Related news

Critical Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. "By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request," Palo Alto Networks Unit 42 researcher Artur Oleyarsh

JsonWebToken Security Bug Opens Servers to RCE

The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.

GHSA-27h2-hvpr-p74q: jsonwebtoken has insecure input validation in jwt.verify function

# Overview For versions `<=8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) of the `jwt.verify()` function, they can gain remote code execution (RCE). # Am I affected? You are affected only if you allow untrusted entities to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. # How do I fix it? Update to version 9.0.0 # Will the fix impact my users? The fix has no impact on end users. # Credits [Palo Alto Networks](https://www.paloaltonetworks.com/)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE