High-severity flaw in JsonWebToken library fixed by Auth0

• The open-source module “JsonWebToken” is used in over a thousand projects, specifically in projects that are open-source.
• Auth0 fixes the remote code execution vulnerability found in “JsonWebToken”, which is rated as a “high-severity” flaw.
• While the threat was first classified as a  9.8 CVSS 3.1 rating “critical” flaw, it has been found that it is more complicated than first thought for hackers to gain access, bringing the severity down to a 7.6 CVSS 3.1 rating “high-severity” flaw.

For their open-source projects, major corporations including Microsoft, Salesforce, Slack, and many others have used the “JsonWebToken” library. JSON Web tokens can be created, signed, and verified using the open-source library known as the JsonWebToken project. Over thousands of projects utilize the “JsonWebToken” open-source module. There was a remote code execution vulnerability found in “JsonWebToken” that Auth0 fixed recently.

Auth0 is a solution for integrating authentication and authorization into user applications. The vulnerability affects “JsonWebToken” versions below 9.0.0 and is tracked as CVE-2022-23529 with a rating of 9.8 (CVSS 3.1).

The severity goes down

While the CVSS 3.1 rating is a 9.8 critical, it was announced that it would be more difficult to exploit as threat actors would first need to undermine the private management procedure between an app and a JsonWebToken server, which would bring it down to a CVSS severity rating of 7.6. If a malicious actor is able to alter the key retrieval parameter of the jwt.verify() function for “JsonWebToken” library versions lower than 8.5.1, they can get remote code execution (RCE). Only users who have allowed untrusted entities to modify the key retrieval parameter of the jwt.verify() are in danger.

To fix this vulnerability, it is recommended users update to version 9.0.0. In the end, because it can only be used by threat actors as part of the secret management process, this vulnerability is rated as “high-severity” and not “critical”. Although the severity rating went down, as many companies listed above utilize “JsonWebToken”, a fix was needed as soon as possible.

On December 21st, 3 months after the Auth0 team announced they were working on a fix, a patch was made available with JsonWebToken version 9.0.0. The fix introduced more checks to the secretOrPublicKey to ensure security. All users are recommended to update to the latest version to be protected against these exploits.