The fix mitigates a remote code execution (RCE) vulnerability in a library that’s used for 22,000 projects.
Authentication and authorization services provider Auth0 has fixed a remote code execution vulnerability in the ‘JsonWebToken’ open-source library. As reported by BleepingComputer, the fix is critical because that library is “immensely popular”, used by over 22,000 projects and downloaded over 36 million times per month on NPM.
JsonWebToken can be found in a host of open-source projects created by major publishers, including Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack and SAP. The vulnerability, which is tracked as CVE-2022-23529, impacts JsonWebToken versions prior to 9.0.0.
Auth0’s website explains that JsonWebToken (JWT) is an open standard that “defines a compact and self-contained way for securely transmitting information between parties as a JSON object”. The article adds that “this information can be verified and trusted because it is digitally signed”. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
The JsonWebToken library project is developed and maintained by Okta Auth0. It has over 9 million weekly downloads on the NPM package repository, according to BleepingComputer. Successful exploitation of CVE-2022-23529 could enable attackers to bypass authentication mechanisms, access confidential information, and steal or modify data. Palo Alto Networks’ Unit 42 discovered CVE-2022-23529 in July 2022.
Researchers found that threat actors could achieve remote code execution on servers using JsonWebToken after they verified a maliciously crafted JWS token. Unit 42 reported its findings to Auth0 immediately. The vulnerability is categorized as ‘high-severity’ with a CVSS score of 7.6. The threat has not been deemed “critical” because threat actors can only exploit it within the secret management process.
The Auth0 team confirmed they were working on a solution back in August, and issued a patch on December 21, 2022 with JsonWebToken version 9.0.0. The fix includes additional checks for the secretOrPublicKey parameter, preventing it from parsing malicious objects.