In December, Auth0 released an updated version of JsonWebToken open source library to address a remote code execution vulnerability. The flaw was detected by researchers at Palo Alto Networks Unit 42; they reported the issue to Auth0 in July. Users are urged to update to JsonWebToken version 9.0.0 or newer.
Note
- Interesting vulnerability, in particular as the library is very popular. However, I don’t see a clear way to exploit this vulnerability to gain the claimed code execution. There are quite a few dependencies to make this work. So, in other words: Not an emergency, but get this patched before someone more creative in exploit writing figures out a way to exploit this.
- JsonWebToken is a open source Javascript package that allows you to verify/sign JWTs, which are mostly used for authorization/authentication. In that context, getting the crypto right is critical. Specific to CVE-2022-23529, lack of data validation of the data type for the secrretOrPublicKey input, which is fixed in version 9.0.0. Two actions here: first, update to the newer version; second, take this to your developers to underscore the importance of input validation (and yes, I’ve been the guy who incorrectly stated “they would never do that” about data passed to my app….)
- This is another example that calling something “cryptography-based” is easy, safely implementing cryptographic and key/secret management functions is NOT easy. This is especially true for efforts like JWT to implement using “URL-safe parts” in order to work in a browser/server through multiple firewalls path. Take special precautions anytime you are an early adopter of security approaches that claim to work in “constrained environments.”
- Not “patched!” There is a gap between the availability and the application of patches. While necessary, availability is only part of a solution.
Read more in
