CVE-2022-23541

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Description

jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Category

5.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Third-Party Advisory github.com
Affected: auth0 node-jsonwebtoken
Published at:
Updated at:

References

Link Tags
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959 third party advisory
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3 patch
https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0 release notes
https://security.netapp.com/advisory/ntap-20240621-0007/

Frequently Asked Questions

What is the severity of CVE-2022-23541?
CVE-2022-23541 has been scored as a medium severity vulnerability.
How to fix CVE-2022-23541?
To fix CVE-2022-23541, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-23541 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-23541 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23541?
CVE-2022-23541 affects auth0 node-jsonwebtoken.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.