CVE-2020-15084
Authorization bypass in express-jwt
Description
### Overview Versions before and including 5.3.3, we are not enforcing the **algorithms** entry to be specified in the configuration. When **algorithms** is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. ### Am I affected? You are affected by this vulnerability if all of the following conditions apply: You are using express-jwt AND You do not have **algorithms** configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the **secret**. ### How to fix that? Specify **algorithms** in the express-jwt configuration. The following is an example of a proper configuration ``` const checkJwt = jwt({ secret: jwksRsa.expressJwtSecret({ rateLimit: true, jwksRequestsPerMinute: 5, jwksUri: `https://${DOMAIN}/.well-known/jwks.json` }), // Validate the audience and the issuer. audience: process.env.AUDIENCE, issuer: `https://${DOMAIN}/`, // restrict allowed algorithms algorithms: ['RS256'] }); ``` ### Will this update impact my users? The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes **algorithms** a required configuration. ### Credit IST Group
How to fix CVE-2020-15084
To remediate CVE-2020-15084, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.0 or later
Is CVE-2020-15084 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 6.0.0