CVE-2022-23540

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

References

Affected packages

Git / github.com/auth0/node-jsonwebtoken

Affected ranges

Type: GIT
Repo: https://github.com/auth0/node-jsonwebtoken
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e1fa9dcc12054a8681db4e6373da1b30cf7016e3

Fixed

e1fa9dcc12054a8681db4e6373da1b30cf7016e3

Affected versions

v0.*

v0.2.0

v1.*

v1.1.1

v1.1.2

v2.*

v2.0.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.2.0

v3.2.1

v3.2.2

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.2.1

v4.2.2

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.1.0

v5.3.0

v5.3.1

v5.4.0

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.7.0

v6.*

v6.0.0

v6.0.1

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v7.*

v7.0.0

v7.0.1

v7.1.0

v7.1.1

v7.1.10

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.2.0

v7.2.1

v7.3.0

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v8.*

v8.0.0

v8.0.1

v8.1.0

v8.1.1

v8.2.0

v8.2.1

v8.2.2

v8.3.0

v8.5.0

v8.5.1