JsonWebToken, which is developed and maintained by Auth0, allows developers to verify/sign JWTs and is principally used for authorization and authentication purposes.
The exploited package has over nine million weekly downloads and over 20,000 dependent projects. Researchers team immediately warned Auth0 when it first discovered the vulnerability that is tracked CVE-2022-23529 in July 2022.
To exploit the vulnerability, an attacker must also take advantage of a flaw within the secret management process. Due to the complexity of the vulnerability, it’s been given a CVSS score of 7.6.
The Auth0 engineering team provided a patch for the flaw in December 2022. JsonWebToken version 9.0.0 contains the following fix
This research was documented by researchers from Palo Alto Networks
Vulnerability disclosure timeline
- July 13, 2022 – Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures
- July 27, 2022 – Auth0 team updated that the issue was under review
- Aug. 23, 2022 – Unit 42 researchers sent an update request
- Aug. 24, 2022 – Auth0 team updated that the engineering team was working on the resolution
- Dec. 21, 2022 – A patch was provided by the Auth0 engineering team