CVE-2022-23540: Improper Authentication

December 22, 2022 (updated November 7, 2023)

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need ’none’ algorithm, you have to explicitly specify that in jwt.verify() options.

References

github.com/advisories/GHSA-qwph-4952-7xr6
github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
nvd.nist.gov/vuln/detail/CVE-2022-23540

Detect and mitigate CVE-2022-23540 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →