CVE-2022-23540

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Description

In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.

References

Link	Tags
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6	third party advisory
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3	patch
https://security.netapp.com/advisory/ntap-20240621-0007/

Frequently Asked Questions

What is the severity of CVE-2022-23540?: CVE-2022-23540 has been scored as a medium severity vulnerability.
How to fix CVE-2022-23540?: To fix CVE-2022-23540, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-23540 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-23540 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23540?: CVE-2022-23540 affects auth0 node-jsonwebtoken.

Description

Categories

CWE-287 – Improper Authentication

CWE-347 – Improper Verification of Cryptographic Signature

References

Frequently Asked Questions