CVE-2022-23529

Name of the Vulnerable Software and Affected Versions jsonwebtoken versions <= 8.5.1

Description A high-severity security flaw has been discovered in the jsonwebtoken library, leading to remote code execution (RCE) attacks. The issue arises when a malicious actor can modify the key retrieval parameter, specifically the secretOrPublicKey argument of the jwt.verify() function. This vulnerability can be exploited if untrusted entities are allowed to modify this parameter on a host that is controlled. The library has been downloaded over 10 million times in the last week.

Recommendations For jsonwebtoken versions <= 8.5.1, update to the latest version, 9.0.0, which includes safer code and important security checks to fix this security flaw and prevent misuse of the package. As a temporary workaround, consider restricting access to the jwt.verify() function to prevent untrusted entities from modifying the key retrieval parameter. Avoid allowing untrusted entities to modify the secretOrPublicKey argument of the jwt.verify() function until the issue is resolved.