CVE-2022-23541

Name of the Vulnerable Software and Affected Versions jsonwebtoken versions <= 8.5.1

Description The jsonwebtoken library can be misconfigured, leading to incorrect verification of tokens. This occurs when a poorly implemented key retrieval function is used, referring to the secretOrPublicKey argument. As a result, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm, allowing for successful validation of forged tokens. This issue affects applications that support both symmetric and asymmetric keys in the jwt.verify() implementation with the same key retrieval function.

Recommendations Update to version 9.0.0 to resolve the issue. If you are currently using a version of jsonwebtoken that is <= 8.5.1, updating to version 9.0.0 will fix the problem. As a temporary workaround, consider reviewing and correcting your key retrieval function to ensure it properly handles both symmetric and asymmetric keys. Restrict access to the jwt.verify() function to minimize the risk of exploitation until the update is applied.