CVE-2022-23541
MEDIUM5.0EPSS 0.06%jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
Description
# Overview Versions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. # Am I affected? You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. # How do I fix it? Update to version 9.0.0. # Will the fix impact my users? There is no impact for end users
Affected packages (1)
- npm/jsonwebtokenfrom 0, < 9.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23541
- PATCHhttps://github.com/auth0/node-jsonwebtoken
- WEBhttps://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- WEBhttps://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0
- WEBhttps://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
- WEBhttps://security.netapp.com/advisory/ntap-20240621-0007