Palo Alto Networks’ Unit 42 alerts that a flaw in the free and open-source JsonWebToken JavaScript package could be used to execute code remotely.
JsonWebToken, which is supported by the Auth0 team and has more than 9 million weekly downloads, is used in many applications for authentication and authorization. It was created to assist with the verification and signing of web token (JWT) requests. The vulnerability, identified as CVE-2022-23529 (CVSS 7.6), was discovered in the package’s verify function and can be exploited using a specially crafted JSON JWT request.
Also read: Top 7 Programming Language Trends in 2023
The user-supplied credentials are sent to the authentication endpoint during the authentication process, which verifies the data and generates a JWT signed with a secret key.