CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken

Published: Dec 21, 2022

CVE numbers: CVE-2022-23539, CVE-2022-23541, CVE-2022-23540

Overview

Auth0 has released a new major version of the jsonwebtoken library to address four vulnerabilities.

We recommend you review the following security advisories and upgrade to the new major version:

  • Unrestricted key type could lead to legacy keys usage: CVE-2022-23539

  • Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC: CVE-2022-23541

  • Insecure default algorithm in jwt.verify() could lead to signature validation bypass: CVE-2022-23540

Am I affected?

You could be affected if you are using jsonwebtoken in any version <= 8.5.1 depending on the configuration. Please consult the individual security advisories for more details.

How to fix that?

If you are using jsonwebtoken, upgrade to version 9.0.0 or higher. You may need some additional configuration. Please consult the individual security advisories for more details.

Will this update impact my users?

Updating to version 9.0.0 may impact your users depending on your configuration and application needs. Please consult the individual security advisories for more details.