Security Advisories: GSA_kwCzR0hTQS1xd3BoLTQ5NTItN3hyNs4AAwgg

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function:

• a token with no signature is received
• no algorithms are specified
• a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Permalink: https://github.com/advisories/GHSA-qwph-4952-7xr6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xd3BoLTQ5NTItN3hyNs4AAwgg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 9 months ago

CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Identifiers: GHSA-qwph-4952-7xr6, CVE-2022-23540
References:

• https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
• https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
• https://nvd.nist.gov/vuln/detail/CVE-2022-23540
• https://github.com/advisories/GHSA-qwph-4952-7xr6

Repository: https://github.com/auth0/node-jsonwebtoken
Blast Radius: 37.5

Affected Packages