In December, Auth0 released an updated version of JsonWebToken open source library to address a remote code execution vulnerability. The flaw was detected by researchers at Palo Alto Networks Unit 42; they reported the issue to Auth0 in July. Users are urged to update to JsonWebToken version 9.0.0 or newer.
- Interesting vulnerability, in particular as the library is very popular. However, I don’t see a clear way to exploit this vulnerability to gain the claimed code execution. There are quite a few dependencies to make this work. So, in other words: Not an emergency, but get this patched before someone more creative in exploit writing figures out a way to exploit this.
- This is another example that calling something “cryptography-based” is easy, safely implementing cryptographic and key/secret management functions is NOT easy. This is especially true for efforts like JWT to implement using “URL-safe parts” in order to work in a browser/server through multiple firewalls path. Take special precautions anytime you are an early adopter of security approaches that claim to work in “constrained environments.”
- Not “patched!” There is a gap between the availability and the application of patches. While necessary, availability is only part of a solution.
Read more in