Warning: 4 critical VULNERABILITIES IN JSONWEBTOKEN
jsonwebtoken is an implementation of Json Web Tokens for node.js. A Json Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.
JWT's are one of the most used authentication standards in web applications. A lot of packages are using jsonwebtoken as a dependency. More than 22 000 npm packages are using jsonwebtoken as a dependency.
Exploiting a vulnerability in the jsonwebtoken package can impact systems running a package that uses jsonwebtoken.
Verifying which packages are using jsonwebtoken is essential to verify if you are vulnerable for the vulnerabilities mentioned below or not.
The following vulnerabilities were discovered in jsonwebtoken <=8.5.1:
• CVE-2022-23529: Insecure input validation in jwt.verify function
• CVE-2022-23539: Unrestricted key type could lead to legacy keys usage
• CVE-2022-23540: Insecure default algorithm in jwt.verify() could lead to signature validation bypass
• CVE-2022-23541: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
• Upgrade the jsonwebtoken package to version 9.0.0
- Read the Migration Notes: v8 to v9 to ensure all functions are still working after upgrading to v9
• Update all packages that are using jsonwebtoken as a dependency to their latest version and ensure that all of these packages are using jsonwebtoken >=v9.0.0