Security researchers from Palo Alto Networks’ Unit 42 warn about the high-severity vulnerability in the JsonWebToken open-source JavaScript package that could be exploited to achieve remote code execution (RCE).
The vulnerability which is tracked as CVE-2022-23529 (CVSS score of 7.6), was found in the package’s verify function and can be exploited using a maliciously crafted JSON JWT request.
JsonWebToken is an open-source JavaScript package that allows you to verify and signing of web token (JWT) requests. JsonWebToken is used in many applications for authentication and authorization. The project is been developed and maintained by the Auth0 team and has more than 9 million weekly downloads.
The library is used in open-source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, DocuSign, Slack, SAP, and many more.
During the authentication process, the user-supplied credentials are sent to the authentication endpoint, which validates the information and issues a JWT signed with a secret key. When a user requests access to resources, the application sends a request containing a JWT in the authorization header, which is verified using the secret key.
The vulnerability is related to JsonWebToken’s verify function, and the method accepts three parameters - the token, the secretOrPublicKey, and options. Due to the lack of a check on the 'secretOrPublicKey' parameter to determine if it's a string or buffer, attackers can send a specially crafted object to perform arbitrary file write on the target machine.
When no allowed algorithms are provided, the package automatically assigns the values within a file provided by the vulnerable parameter, and blindly uses one of its methods.
Because of that, an attacker can abuse the parameter to supply a malicious object to the verify function, override its method, and achieve arbitrary file write. The same technique can also be used to achieve remote code execution (RCE), with a slightly modified payload, the researchers say.
However, the researcher warns that threat actors would first need to compromise the secret management process between an app and a JsonWebToken server, making it harder to exploit and lowering the severity rating to 7.6/10.
The vulnerability, CVE-2022-23529 impacts JsonWebToken version 8.5.1 and earlier and has been addressed with the release of JsonWebToken version 9.0.0. Users are advised to update to the patched version as soon as possible.