GHSA-qwph-4952-7xr6

Source

https://github.com/advisories/GHSA-qwph-4952-7xr6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-qwph-4952-7xr6/GHSA-qwph-4952-7xr6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qwph-4952-7xr6

Aliases

CVE-2022-23540

Related

CVE-2022-23540

Published

2022-12-22T03:32:59Z

Modified

2024-06-21T21:33:52Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Details

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function: - a token with no signature is received - no algorithms are specified - a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Database specific

{
    "nvd_published_at": "2022-12-22T19:15:00Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-327",
        "CWE-347"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T03:32:59Z"
}

References

Affected packages

npm / jsonwebtoken

Package

Name: jsonwebtoken; View open source insights on deps.dev
Purl: pkg:npm/jsonwebtoken

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.0