CVE-2022-25898

Name of the Vulnerable Software and Affected Versions jsrsasign versions prior to 10.5.25

Description The issue concerns improper verification of cryptographic signatures. Specifically, JWS or JWT signatures with non-Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. This can affect authentication or authorization when jsrsasign's JWS or JWT validation is used in OpenID Connect or OAuth2.

Recommendations For versions prior to 10.5.25, validate JWS or JWT signatures if they have Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method. Users should upgrade to version 10.5.25 to resolve the issue. As a temporary workaround, consider validating the signature string manually to ensure it only contains Base64URL and dot safe characters before executing the verification methods.