CVE-2022-23529 is a new security vulnerability in the JSONWebToken open source project. The issue was discovered by Unit 42 researchers, and has been rated 7.6 on the CVSS scale (high severity).
What Is the JSONWebToken Open Source Project?
JSONWebToken is an open source project dedicated to providing a secure way to transfer data between two parties. It is defined as an open standard (RFC 7519) that defines “a compact and self-contained way for securely transmitting information between parties as a JSON object,” as per the official website. The project is a standardized method for securely exchanging data using a JSON web token (JWT). It provides a way to authenticate users while also protecting the data they are sending and receiving.
What Is the CVE-2022-23529 Vulnerability in JSONWebToken?
The vulnerability could lead to remote code execution on a server that verifies a maliciously crafted JSON web token request. “If you are using JsonWebToken package version 8.5.1 or an earlier version, please update to JsonWebToken package version 9.0.0, which includes a patch for this vulnerability,” Unit 42 researchers noted.
Fortunately, the vulnerability has already been fixed. Only customers that allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control are affected. To avoid any compromise, customers should update to version 9.0.0.