A critical Remote Code Execution (RCE) vulnerability has been discovered in one of the most widely used open-source projects for JSON web token (JWT) authentication, jsonwebtoken. The security flaw, which has been assigned a high severity rating, could potentially affect thousands of applications and systems, allowing malicious actors to bypass authentication and gain unauthorized access to sensitive information.
What is JsonWebToken?
A major security breach has been exposed in the widely used open-source jsonwebtoken (JWT) library, leaving thousands of applications vulnerable to remote code execution (RCE) attacks. The vulnerability, which has been designated as high-severity by cybersecurity experts, could allow malicious actors to gain unauthorized access to sensitive information and potentially take control of affected systems.
According to a report by Palo Alto Networks Unit 42 researcher Artur Oleyarsh, the vulnerability, tracked as CVE-2022-23529, and is rated 7.6 out of 10 in terms of severity. It impacts all versions of the library, including and below 8.5.1. The library’s developers have released a patch in version 9.0.0 on December 21, 2022, after the issue was reported on July 13, 2022.
The jsonwebtoken maintainers have released a patch to address the vulnerability, and it is strongly recommended that all users of the library update to the latest version (version 9.0.0) as soon as possible. Additionally, users are advised to review their codebase for potential vulnerabilities and to assess the potential impact of the issue on their systems.
According to the advisory, For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
The ability to run malicious code on a server could break confidentiality and integrity guarantees and potentially enable a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a malicious secret key.
Are you Affected?
You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.
To exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process.
How do I fix it?
Update to version 9.0.0
The discovery of this vulnerability also highlights the need for open-source software to be proactively monitored for vulnerabilities, as well as the need for organizations and individuals to prioritize cybersecurity to protect their systems and data from potential threats. As the cybercriminals become more efficient at exploiting new vulnerabilities, the need for timely patches and updates is even more imperative.
Image source: Unit42