ghsa-qwph-4952-7xr6
Vulnerability from github
Overview
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify()
function can lead to signature validation bypass due to defaulting to the none
algorithm for signature verification.
Am I affected?
You will be affected if all the following are true in the jwt.verify()
function:
- a token with no signature is received
- no algorithms are specified
- a falsy (e.g. null, false, undefined) secret or key is passed
How do I fix it?
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify()
method.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none
algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify()
options.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "jsonwebtoken" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "9.0.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-23540" ], "database_specific": { "cwe_ids": [ "CWE-287", "CWE-327", "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2022-12-22T03:32:59Z", "nvd_published_at": "2022-12-22T19:15:00Z", "severity": "MODERATE" }, "details": "# Overview\n\nIn versions \u003c=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don\u2019t need to allow for the `none` algorithm. If you need \u0027none\u0027 algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", "id": "GHSA-qwph-4952-7xr6", "modified": "2024-06-21T21:33:52Z", "published": "2022-12-22T03:32:59Z", "references": [ { "type": "WEB", "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540" }, { "type": "WEB", "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3" }, { "type": "PACKAGE", "url": "https://github.com/auth0/node-jsonwebtoken" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "type": "CVSS_V3" } ], "summary": "jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.