CVE-2022-23529 is a new security vulnerability in the JSONWebToken open source project. The issue was discovered by Unit 42 researchers, and has been rated 7.6 on the CVSS scale (high severity).
What Is the JSONWebToken Open Source Project?
JSONWebToken is an open source project dedicated to providing a secure way to transfer data between two parties. It is defined as an open standard (RFC 7519) that defines “a compact and self-contained way for securely transmitting information between parties as a JSON object,” as per the official website. The project is a standardized method for securely exchanging data using a JSON web token (JWT). It provides a way to authenticate users while also protecting the data they are sending and receiving.
What Is the CVE-2022-23529 Vulnerability in JSONWebToken?
The vulnerability could lead to remote code execution on a server that verifies a maliciously crafted JSON web token request. “If you are using JsonWebToken package version 8.5.1 or an earlier version, please update to JsonWebToken package version 9.0.0, which includes a patch for this vulnerability,” Unit 42 researchers noted.
Fortunately, the vulnerability has already been fixed. Only customers that allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control are affected. To avoid any compromise, customers should update to version 9.0.0.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: