Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

References

• https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
• https://nvd.nist.gov/vuln/detail/CVE-2022-23529
• https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
• https://github.com/advisories/GHSA-27h2-hvpr-p74q