In December, Auth0 released an updated version of JsonWebToken open source library to address a remote code execution vulnerability. The flaw was detected by researchers at Palo Alto Networks Unit 42; they reported the issue to Auth0 in July. Users are urged to update to JsonWebToken version 9.0.0 or newer.
Note
- Interesting vulnerability, in particular as the library is very popular. However, I don’t see a clear way to exploit this vulnerability to gain the claimed code execution. There are quite a few dependencies to make this work. So, in other words: Not an emergency, but get this patched before someone more creative in exploit writing figures out a way to exploit this.
- JsonWebToken is a open source Javascript package that allows you to verify/sign JWTs, which are mostly used for authorization/authentication. In that context, getting the crypto right is critical. Specific to CVE-2022-23529, lack of data validation of the data type for the secrretOrPublicKey input, which is fixed in version 9.0.0. Two actions here: first, update to the newer version; second, take this to your developers to underscore the importance of input validation (and yes, I’ve been the guy who incorrectly stated “they would never do that” about data passed to my app….)
- This is another example that calling something “cryptography-based” is easy, safely implementing cryptographic and key/secret management functions is NOT easy. This is especially true for efforts like JWT to implement using “URL-safe parts” in order to work in a browser/server through multiple firewalls path. Take special precautions anytime you are an early adopter of security approaches that claim to work in “constrained environments.”
- Not “patched!” There is a gap between the availability and the application of patches. While necessary, availability is only part of a solution.
Read more in
- Disclosing a New Vulnerability in JWT Secret Poisoning (CVE-2022-23529)
- jsonwebtoken has insecure input validation in jwt.verify function
- jsonwebtoken
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
