CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
(updated )
Overview
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Am I affected?
You will be affected if all the following are true in the jwt.verify() function:
- a token with no signature is received
- no algorithms are specified
- a falsy (e.g. null, false, undefined) secret or key is passed
How do I fix it?
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need ’none’ algorithm, you have to explicitly specify that in jwt.verify() options.
References
- github.com/advisories/GHSA-qwph-4952-7xr6
- github.com/auth0/node-jsonwebtoken
- github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
- nvd.nist.gov/vuln/detail/CVE-2022-23540
- security.netapp.com/advisory/ntap-20240621-0007
Code Behaviors & Features
Detect and mitigate CVE-2022-23540 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →