Platform
nodejs
Component
jsonwebtoken
Fixed in
9.0.0
CVE-2022-23539 describes a potential misconfiguration in the jsonwebtoken library that could lead to the use of legacy, insecure key types for signature verification. This can allow attackers to bypass authentication or forge tokens. This vulnerability affects jsonwebtoken versions up to and including 8.5.1. The issue is resolved in version 9.0.0.
CVE-2022-23539 in the jsonwebtoken library allows for signature verification with legacy, insecure key types if misconfigured. This means, for example, DSA keys could be used with the RS256 algorithm, compromising the integrity and authenticity of JWT tokens. Versions affected are those less than or equal to 8.5.1. The CVSS has been scored at 8.1, indicating a high risk. This vulnerability is particularly concerning for applications relying on JWT for authentication and authorization, as an attacker could potentially forge tokens and gain unauthorized access to protected resources. The combination of EC key with ES256, ES384, and ES512 algorithms is not affected.
An attacker could exploit this vulnerability by misconfiguring the jsonwebtoken library to allow the use of DSA key types with the RS256 algorithm. This would allow the attacker to create forged JWT tokens with DSA keys, which would be accepted as valid by the application if it's using the vulnerable library version. The success of exploitation depends on the incorrect configuration of the library and the attacker's ability to generate DSA keys. Exploitation could result in unauthorized access to protected resources, theft of confidential data, or even taking control of the application.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The solution to mitigate this vulnerability is to update the jsonwebtoken library to version 9.0.0 or higher. This version corrects the issue by restricting the use of insecure key types with specific algorithms. Additionally, review your application's configuration to ensure only secure and compatible algorithms and key types are used. Consider implementing additional validations in your code to guarantee received JWT tokens are valid and have not been tampered with. Perform thorough testing after the update to confirm the vulnerability has been resolved and the application's functionality remains unaffected. Regularly monitor your project's dependencies for new vulnerabilities and apply necessary security updates.
Actualice la biblioteca jsonwebtoken a la versión 9.0.0 o superior para validar las combinaciones de tipo de clave asimétrica y algoritmo. Si necesita usar combinaciones inválidas, configure la opción `allowInvalidAsymmetricKeyTypes` en `true` en las funciones `sign()` y/o `verify()`.
Vulnerability analysis and critical alerts directly to your inbox.
A JWT (JSON Web Token) is an open standard for securely transmitting information as a JSON object. It's commonly used for authentication and authorization.
The update fixes a security vulnerability that could allow attackers to forge JWT tokens and gain unauthorized access.
If you can't update immediately, review your application's configuration and ensure only secure algorithms and key types are used.
Check the version of the jsonwebtoken library in your project. If it's less than or equal to 8.5.1, you are vulnerable.
There are dependency security analysis tools that can detect this vulnerability in your projects.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.