jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
CVE-2022-23540

7.6HIGH

Key Information:

Vendor

Auth0

Status
Node-jsonwebtoken
Vendor
CVE Published:
22 December 2022

What is CVE-2022-23540?

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

node-jsonwebtoken <= 8.5.1

References

https://github.com/auth0/node-jsonwebtoken/security/advis...
x_refsource_CONFIRM
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dc...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20240621-0007/

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.