Headline
GHSA-27h2-hvpr-p74q: jsonwebtoken has insecure input validation in jwt.verify function
Overview
For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
Am I affected?
You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.
How do I fix it?
Update to version 9.0.0
Will the fix impact my users?
The fix has no impact on end users.
Credits
Overview
For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
Am I affected?
You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.
How do I fix it?
Update to version 9.0.0
Will the fix impact my users?
The fix has no impact on end users.
Credits
Palo Alto Networks
References
- GHSA-27h2-hvpr-p74q
- https://nvd.nist.gov/vuln/detail/CVE-2022-23529
- auth0/node-jsonwebtoken@e1fa9dc
Related news
A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. "By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request," Palo Alto Networks Unit 42 researcher Artur Oleyarsh
The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.
node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.