CVE-2022-23540
Summary
| CVE | CVE-2022-23540 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-12-22 19:15:00 UTC |
| Updated | 2023-11-07 03:44:00 UTC |
| Description | In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options. |
Risk And Classification
Problem Types: CWE-347
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Auth0 | Jsonwebtoken | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Merge pull request from GHSA-8cf7-32gw-wr33 · auth0/node-jsonwebtoken@e1fa9dc · GitHub | MISC | github.com | |
| Insecure default algorithm in jwt.verify() could lead to signature validation bypass · Advisory · auth0/node-jsonwebtoken · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.