A remote code execution vulnerability has been identified in the open source JSON Web Token (JWT) library in versions 8.5.1 and earlier. This was identified by Unit42 researchers at Palo Alto Networks back in July, and has been finally patched by the Auth0 engineering team just before Christmas. Unit 42 have released a blog post with an in-depth analysis of this vulnerability this week now that a patch is widely available in JWT version 9.0.0.  

Auth0 are an authentication and authorisation platform run by Okta, an American access management company. Auth0 develop and maintain the JSON Web Token project, which is an open source JavaScript library used to securely transmit information as JSON objects. Many organisations make use of JWTs in open source projects including: Microsoft, Twilio, Salesforce, IBM, Docusign, and Slack. JWTs allow for information to be digitally signed using public/private key pairs which maintains integrity of transmitted information meaning it can be verified and trusted.  JWTs are often used during authorization and authentication such as through single sign on features, or for information exchange, where needs to be encrypted.  

The vulnerability tracked as CVE-2022-23529 has been given a critical severity rating and a CVSS base score of 9.8 but NIST’s National Vulnerability Database. However, this severity rating has been dropped to high, with a score of 7.6/10 by GitHub, who also published a third part advisory due to a potential attacker first needing to compromise the secret management process between the JWT server and an application, making an exploit of this vulnerability much harder to perform.   

A potential exploit of this vulnerability involves a threat actor modifying the secretOrPublickey parameter from the verify function. This parameter can be triggered through an options algorithms list where no algorithms are allowed so the secretOrPublickey parameter is assigned instead. The parameter secretOrPublickey is a string or buffer, but there is no check in place to determine which, so it begins to blindly use a tostring() method. Attackers can take advantage of this and trigger an override of the tostring() method, causing the verify function to run with a malicious object. The overridden tostring() function then writes an arbitrary file to the device and can also result in remote code execution. Fixed JWT version 9.0.0 has had the vulnerable code removed to prevent malicious objects being contained in the secretOrPublickey parameter and has been replaced with checks for the secretOrPublickey type.  

Development and Security Managers should check their software supply chain to see if vulnerable versions of the JWT library are included in their systems or third-party applications used on their networks.