CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken
Published: Dec 21, 2022
CVE numbers: CVE-2022-23539, CVE-2022-23541, CVE-2022-23540
Overview
Auth0 has released a new major version of the jsonwebtoken
library to address four vulnerabilities.
We recommend you review the following security advisories and upgrade to the new major version:
Unrestricted key type could lead to legacy keys usage: CVE-2022-23539
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC: CVE-2022-23541
Insecure default algorithm in jwt.verify() could lead to signature validation bypass: CVE-2022-23540
Am I affected?
You could be affected if you are using jsonwebtoken
in any version <= 8.5.1 depending on the configuration. Please consult the individual security advisories for more details.
How to fix that?
If you are using jsonwebtoken
, upgrade to version 9.0.0 or higher. You may need some additional configuration. Please consult the individual security advisories for more details.
Will this update impact my users?
Updating to version 9.0.0 may impact your users depending on your configuration and application needs. Please consult the individual security advisories for more details.