Connect with us

Hi, what are you looking for?



Vulnerability in Popular JsonWebToken Open Source Project Leads to Code Execution

A vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE), Palo Alto Networks’ Unit 42 warns.

[UPDATED] A vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE), Palo Alto Networks’ Unit 42 warns.

Maintained by the Auth0 team and designed to help with the verification and signing of web token (JWT) requests, JsonWebToken is used in many applications for authentication and authorization, and has more than 9 million weekly downloads.

Tracked as CVE-2022-23529 (CVSS score of 7.6), the vulnerability was found in the package’s verify function and can be exploited using a maliciously crafted JSON JWT request.

During the authentication process, the user-supplied credentials are sent to the authentication endpoint, which validates the information and issues a JWT signed with a secret key.

Moving forth, when a user requests access to resources, the application sends a request containing a JWT in the authorization header, which is verified using the secret key.

The identified vulnerability, Unit 42 researchers explain, is related to JsonWebToken’s verify function and exists because no check exists to verify that one of the parameters the method receives is a string or a buffer.

When no allowed algorithms are provided, the package automatically assigns the values within a file provided by the vulnerable parameter, and blindly uses one of its methods.

Because of that, an attacker can abuse the parameter to supply a malicious object to the verify function, override its method, and achieve arbitrary file write. The same technique can also be used to achieve remote code execution (RCE), with a slightly modified payload, the researchers say.

Advertisement. Scroll to continue reading.

Because successful exploitation of the vulnerability requires for the attacker to exploit a flaw within the secret management process, the severity score of the issue has been downgraded.

CVE-2022-23529 impacts JsonWebToken version 8.5.1 and earlier and has been addressed with the release of JsonWebToken version 9.0.0. Users are advised to update to the patched version as soon as possible.

“Security awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it’s something the open source community can take part in,” Unit 42 concludes.

Update – February 1

Due to the multiple prerequisites required for the successful exploitation of this vulnerability, Palo Alto Networks and Auth0 made the decision to retract CVE-2022-23529, but warn that the issue remains a risk and, if all the prerequisites are met, when the library is used in an insecure way, exploitation is possible.

“The security issue described in this blog remains a concern when the JsonWebToken library is used in an insecure way. In that scenario, if all the prerequisites are met, the issue may be exploitable. We agree that the source of this risk in that case will be in the calling code, and not in the library.

“Important security checks were added to the JsonWebToken code to address this issue. Users of jsonwebtoken 8.5.1 and earlier are encouraged to update to the latest version, 9.0.0, which presents safer code that fixes this security flaw and others,” Palo Alto Networks notes in a January 30 update.

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: Google Announces Vulnerability Scanner for Open Source Developers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.