Auth0 corrects RCE flaw in JsonWebToken library, 22,000 projects use

Auth0 corrected a remote code execution flaw in the popular ‘JsonWebToken’ open-source library, which is used by more than 22,000 projects. It has been downloaded over 36,000,000 times per month via NPM.

This library can be used by Microsoft, Twilio and Salesforce.

This vulnerability has been tracked as CVE-2022–23529. It affects version below 9.0.0. The vulnerabilities were released just before Christmas on the 21st of December.

JsonWebToken is an open-source library that allows you to sign and verify .

JSON Web Token (JWT), an open standard ( ), is a way to securely send information among parties using a JSON object. The information is digitally signed and can therefore be trusted,” explains Auth0’s website.

Okta Auth0 developed the project and maintains it. It has more from the NPM package repository, and 22,000 projects in the library. This reflects its widespread adoption.

CVE-2022-25329 can be exploited to allow attackers bypass authentication, gain confidential information and modify or steal data.

Unit 42 cautions, however, that to be a threat actor, they would need to first compromise the secret management between the app and the JsonWebToken servers. This will make it more difficult to exploit the system and lower the severity rating to 7.6/10.

JWT Secret Poisoning

Palo Alto Networks’ discovered the CVE-2022–23529 vulnerability and reported it to Auth0 instantly.

After verifying a JWS token that was maliciously created, the researchers discovered that attackers could remotely execute code on servers running JsonWebToken.

This flaw is found in JsonWebToken’s verify() method . It is used to verify JWTs and return decoded information. The token, secretOrPublicKey and options are all accepted parameters.

An attacker can use a specially-crafted object to execute arbitrary file writes on target machines, but there is no way to check the secretOrPublicKey parameter.

Proof of concept malicious object in request

(Unit 42)

Unit42 reported that remote execution of code is possible using the same flaw, but with a different payload.

This vulnerability has been rated as high-severity (CVSS score 7.6). It is not considered critical as it is difficult to exploit as threats can only use it in the secret management process.

The states that “You will be affected only if untrusted entities modify the key retrieval para of the jwt.verify() ip address you control”

In August 2022 the Auth0 team stated that they had been working on a solution. Finally, a patch with JsonWebToken 9.0.0 was published on December 21st 2022.

This fix involves adding additional checks to the secretOrPublicKey parameter in order to prevent it from parsing malicious items.

JsonWebToken is a widely used open-source library. This flaw has huge and will persist for a long time until all projects upgrade to a more secure version.

Although the flaw can be difficult to exploit it, the threat actors are eager to use it. Given the potential targets, administrators should make applying security updates a top priority.