A critical Remote Code Execution (RCE) vulnerability has been discovered in one of the most widely used open-source projects for JSON web token (JWT) authentication, jsonwebtoken. The security flaw, which has been assigned a high severity rating, could potentially affect thousands of applications and systems, allowing malicious actors to bypass authentication and gain unauthorized access to sensitive information.
What is JsonWebToken?
JsonWebToken is an open source JavaScript package that allows you to verify/sign JWTs, which are mainly used for authorization and authentication purposes. Developed and maintained by Auth0, the package had over 9 million weekly downloads at the time of writing, and over 20,000 dependents (according to the JsonWebToken page). This package plays a big role in the authentication and authorization functionality for many applications.
The jsonwebtoken project, which is written in JavaScript, is used by developers to encode and decode JWTs, which are used to authenticate users and transfer information securely between systems. The project is popular among developers, and versions 8.5.1 and below are impacted.
JsonWebToken Breach
A major security breach has been exposed in the widely used open-source jsonwebtoken (JWT) library, leaving thousands of applications vulnerable to remote code execution (RCE) attacks. The vulnerability, which has been designated as high-severity by cybersecurity experts, could allow malicious actors to gain unauthorized access to sensitive information and potentially take control of affected systems.
According to a report by Palo Alto Networks Unit 42 researcher Artur Oleyarsh, the vulnerability, tracked as CVE-2022-23529, and is rated 7.6 out of 10 in terms of severity. It impacts all versions of the library, including and below 8.5.1. The library’s developers have released a patch in version 9.0.0 on December 21, 2022, after the issue was reported on July 13, 2022.
The jsonwebtoken maintainers have released a patch to address the vulnerability, and it is strongly recommended that all users of the library update to the latest version (version 9.0.0) as soon as possible. Additionally, users are advised to review their codebase for potential vulnerabilities and to assess the potential impact of the issue on their systems.
The jsonwebtoken library is a popular JavaScript module used for encoding and decoding JSON web tokens, which are used to authenticate users and transfer information securely between systems. It is developed and maintained by Okta’s Auth0 and has over 10 million weekly downloads on the npm software registry and is utilized by more than 22,000 projects.
According to the advisory, For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
The ability to run malicious code on a server could break confidentiality and integrity guarantees and potentially enable a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a malicious secret key.
Are you Affected?
You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.
IMPACT
To exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process.
How do I fix it?
Update to version 9.0.0
The discovery of this vulnerability also highlights the need for open-source software to be proactively monitored for vulnerabilities, as well as the need for organizations and individuals to prioritize cybersecurity to protect their systems and data from potential threats. As the cybercriminals become more efficient at exploiting new vulnerabilities, the need for timely patches and updates is even more imperative.
Image source: Unit42
