JsonWebToken, which is supported by the Auth0 team and has more than 9 million weekly downloads, is used in many applications for authentication and authorization. It was created to assist with the verification and signing of web token (JWT) requests. The vulnerability, identified as CVE-2022-23529 (CVSS 7.6), was discovered in the package’s verify function and can be exploited using a specially crafted JSON JWT request.
Also read: Top 7 Programming Language Trends in 2023
The user-supplied credentials are sent to the authentication endpoint during the authentication process, which verifies the data and generates a JWT signed with a secret key.