QID 377890

Date Published: 2023-01-18

QID 377890: jsonwebtoken NPM Package Remote Code Execution (RCE) Vulnerability (GHSA-27h2-hvpr-p74q)

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions prior to and including 8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function, they can write arbitrary files on the host machine.

Note: QID is kept potential because users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control.

Affected Versions:
jsonwebtoken 8.5.1 and versions prior to it.

QID Detection Logic (Authenticated):
This QID checks for vulnerable version of jsonwebtoken npm package installed globally. The QID runs the "npm list -g --silent" command to check for vulnerable version.

Note:
NPM packages can be installed anywhere as a developer/production dependency. This QID can only detect jsonwebtoken packages that are installed globally. For Microsoft Windows, this QID checks for installed packages within the '%systemdrive%\Users\Administrator' directory.

Successful exploitation of the vulnerability may allow an attacker to write arbitrary files to a system.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.8 severity.
    • Solution
    Vendor has released patch, customers are advised to download the latest version from jsonwebtoken download page

    Vendor References

    CVEs related to QID 377890

    CVE-2022-23529 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-27h2-hvpr-p74q URL Logo github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].