Severe Security Vulnerability Found in Popular Open-Source JWT Library

Summary

A high-severity security flaw was discovered in the open-source JsonWebToken (JWT) library impacting versions 8.5.1 and earlier. JWT, which is developed and maintained by Okta's Auth0, is an open-source JavaScript module that allows users to decode, verify, and generate JSON web tokens for authorization and authentication processes. At the time of this writing, the JavaScript package has over 11 million weekly downloads and is used by more than 22,000 projects. If successfully exploited, CVE-2022-23529 (CVSS v3 7.6) may lead to remote code execution on a target server. However, to exploit the vulnerability, a threat actor must first control or exploit a flaw within the secret management process and gain control of the secretOrPublicKey value.

Regardless of their complexity, threat actors are developing exploits for new vulnerabilities more quickly. New research indicates an exploit is detected in the wild only 14 days on average after public disclosure of a vulnerability. Google launched an Open-Source Vulnerabilities (OSV) database designed to connect a project’s list of dependencies with the open-source vulnerabilities that affect them.

Recommendations

The NJCCIC recommends administrators update to version 9.0.0 after appropriate testing. Further information can be found in Palo Alto’s Unit 42 blog post.