CVE-2023-48238

Public Exploit
JWT Algorithm Confusion in json-web-token library

Description

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens (JWT) which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js' file, the algorithm to use for verifying the signature of the JWT token is taken from the JWT token, which at that point is still unverified and thus shouldn't be trusted. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work against this library is the RS256 algorithm is in use, however it is a best practice to use that algorithm.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.14%
Vendor Advisory github.com
Affected: joaquimserafim json-web-token
Published at:
Updated at:

References

Link Tags
https://github.com/joaquimserafim/json-web-token/security/advisories/GHSA-4xw9-cx39-r355 vendor advisory exploit

Frequently Asked Questions

What is the severity of CVE-2023-48238?
CVE-2023-48238 has been scored as a high severity vulnerability.
How to fix CVE-2023-48238?
To fix CVE-2023-48238, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-48238 being actively exploited in the wild?
It is possible that CVE-2023-48238 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-48238?
CVE-2023-48238 affects joaquimserafim json-web-token.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.