Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

Jan 10, 2023Ravie LakshmananSoftware Security / Supply Chain

A high-severity security flaw has been disclosed in the open
source jsonwebtoken (JWT) library that, if successfully exploited,
could lead to remote code execution on a target server.

“By exploiting this vulnerability ^[1], attackers could achieve
remote code execution (RCE) on a server verifying a maliciously
crafted JSON web token (JWT) request,” Palo Alto Networks Unit 42
researcher Artur Oleyarsh said ^[2]
in a Monday report.

Tracked as CVE-2022-23529^[3] (CVSS score: 7.6), the
issue impacts all versions of the library, including and below
8.5.1, and has been addressed in version 9.0.0 ^[4]
shipped on December 21, 2022. The flaw was reported by the
cybersecurity company on July 13, 2022.

jsonwebtoken, which is developed and maintained ^[5] by Okta’s Auth0, is a
JavaScript module that allows users to decode, verify, and generate
JSON web tokens as a means of securely transmitting information
between two parties for authorization and authentication. It has
over 10 million weekly downloads ^[6] on the npm software
registry and is used by more than 22,000 projects.

Therefore, the ability to run malicious code on a server could
break confidentiality and integrity guarantees, potentially
enabling a bad actor to overwrite arbitrary files on the host and
perform any action of their choosing using a poisoned secret
key.

“With that being said, in order to exploit the vulnerability
described in this post and control the secretOrPublicKey value ^[7], an attacker will need
to exploit a flaw within the secret management process,” Oleyarsh
explained.

As open source software increasingly emerges as a lucrative
initial access pathway for threat actors to stage supply chain
attacks, it’s crucial that vulnerabilities in such tools are
proactively identified, mitigated, and patched by downstream
users.

Making matters worse is the fact that cybercriminals have become
much faster at exploiting newly revealed flaws, drastically
shrinking the time between a patch release and exploit
availability. According to Microsoft, it only takes 14 days on average ^[8]
for an exploit to be detected in the wild after public disclosure
of a bug.

To combat this problem of vulnerability discovery, Google, last
month, announced the release of OSV-Scanner ^[9], an open source utility
that aims to identify all transitive dependencies of a project and
highlight relevant shortcomings impacting it.

Found this article interesting? Follow us on Twitter ^[10] and LinkedIn ^[11] to read more exclusive
content we post.

References

^{^}
vulnerability
(github.com)
^{^}
said
(unit42.paloaltonetworks.com)
^{^}
CVE-2022-23529
(nvd.nist.gov)
^{^}
version
9.0.0 (github.com)
^{^}
developed and maintained
(jwt.io)
^{^}
10
million weekly downloads (www.npmjs.com)
^{^}
secretOrPublicKey value
(github.com)
^{^}
14 days
on average (thehackernews.com)
^{^}
OSV-Scanner
(thehackernews.com)
^{^}
Twitter 
(twitter.com)
^{^}
LinkedIn
(www.linkedin.com)