Maintained by the Auth0 team and designed to help with the verification and signing of web token (JWT) requests, JsonWebToken is used in many applications for authentication and authorization, and has more than 9 million weekly downloads.
Tracked as CVE-2022-23529 (CVSS score of 7.6), the vulnerability was found in the package’s verify function and can be exploited using a maliciously crafted JSON JWT request.
During the authentication process, the user-supplied credentials are sent to the authentication endpoint, which validates the information and issues a JWT signed with a secret key.
Moving forth, when a user requests access to resources, the application sends a request containing a JWT in the authorization header, which is verified using the secret key.
The identified vulnerability, Unit 42 researchers explain, is related to JsonWebToken’s verify function and exists because no check exists to verify that one of the parameters the method receives is a string or a buffer.
When no allowed algorithms are provided, the package automatically assigns the values within a file provided by the vulnerable parameter, and blindly uses one of its methods.
Because of that, an attacker can abuse the parameter to supply a malicious object to the verify function, override its method, and achieve arbitrary file write. The same technique can also be used to achieve remote code execution (RCE), with a slightly modified payload, the researchers say.
Because successful exploitation of the vulnerability requires for the attacker to exploit a flaw within the secret management process, the severity score of the issue has been downgraded.
CVE-2022-23529 impacts JsonWebToken version 8.5.1 and earlier and has been addressed with the release of JsonWebToken version 9.0.0. Users are advised to update to the patched version as soon as possible.
“Security awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it’s something the open source community can take part in,” Unit 42 concludes.
Update – February 1
Due to the multiple prerequisites required for the successful exploitation of this vulnerability, Palo Alto Networks and Auth0 made the decision to retract CVE-2022-23529, but warn that the issue remains a risk and, if all the prerequisites are met, when the library is used in an insecure way, exploitation is possible.
“The security issue described in this blog remains a concern when the JsonWebToken library is used in an insecure way. In that scenario, if all the prerequisites are met, the issue may be exploitable. We agree that the source of this risk in that case will be in the calling code, and not in the library.
“Important security checks were added to the JsonWebToken code to address this issue. Users of jsonwebtoken 8.5.1 and earlier are encouraged to update to the latest version, 9.0.0, which presents safer code that fixes this security flaw and others,” Palo Alto Networks notes in a January 30 update.
Related: GitHub Introduces Automatic Vulnerability Scanning Feature
Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata
Related: Google Announces Vulnerability Scanner for Open Source Developers