JsonWebToken open source library has a significant security flaw

(Image credit: Shutterstock / Song_about_summer)

The popular open source project JsonWebToken was carrying a high-severity vulnerability that allowed threat actors to execute malicious code on affected endpoints, remotely.

A report from Palo Alto Networks’ cybersecurity arm, Unit 42 outlined how the flaw would allow the server to verify a maliciously crafted JSON web token (JWT) request, thus granting the attackers remote code execution (RCE) abilities. 

That, in turn, would allow threat actors to access sensitive information (including identity data), steal, or modify it.

Patch is available

The flaw is now tracked as CVE-2022-23529, and has been given a severity rate of 7.6/10, marking it as “high-severity”, and not “critical”. 

One of the reasons it’s not been given a higher score is due to the fact that the attackers would first need to compromise the secret management process between an application and a JsonWebToken server.

Anyone using JsonWebToken package version 8.5.1 or an earlier version is advised to update the JsonWebToken package to version 9.0.0, which comes with a patch for the flaw. 

JsonWebToken is an open source JavaScript package allowing users to verify and/or sign JWTs. 

The tokens are usually used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0.

At press time, the package had more than nine million weekly downloads and more than 20,000 dependents. “This package plays a big role in the authentication and authorization functionality for many applications,” the researchers said.

The vulnerability was first discovered in mid-July 2022, with Unit 42’s researchers reporting their findings to Auth0 immediately. The authors acknowledged the vulnerability a few weeks later (in August), and finally released a patch on December 21, 2022. 

Auth0 fixed the issue by adding more checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.