A security flaw with risk severity of high has been found in the popular JsonWebToken open-source JavaScript package. The attacker could perform RCE on a server verifying a maliciously crafted JSON web token (JWT) request
JsonWebToken, which is developed and maintained by Auth0, allows developers to verify/sign JWTs and is principally used for authorization and authentication purposes.
The exploited package has over nine million weekly downloads and over 20,000 dependent projects. Researchers team immediately warned Auth0 when it first discovered the vulnerability that is tracked CVE-2022-23529 in July 2022.
To exploit the vulnerability, an attacker must also take advantage of a flaw within the secret management process. Due to the complexity of the vulnerability, it’s been given a CVSS score of 7.6.
The Auth0 engineering team provided a patch for the flaw in December 2022. JsonWebToken version 9.0.0 contains the following fix
This research was documented by researchers from Palo Alto Networks
Vulnerability disclosure timeline
- July 13, 2022 – Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures
- July 27, 2022 – Auth0 team updated that the issue was under review
- Aug. 23, 2022 – Unit 42 researchers sent an update request
- Aug. 24, 2022 – Auth0 team updated that the engineering team was working on the resolution
- Dec. 21, 2022 – A patch was provided by the Auth0 engineering team
