A high-severity security flaw has been disclosed in the open-source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. The flaw is tracked as CVE-2022-23529, impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. jsonwebtoken is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorization and authentication.
The Role of Okta’s Auth0 in Encoding, Decoding and Validating JSON Web Tokens
jsonwebtoken (JWT) is an open-source library that allows users to encode, decode, and validate JSON Web Tokens (JWT) in JavaScript. JSON Web Tokens are a type of token that can be used to securely transmit information between two parties and are commonly used for authentication and authorization purposes.
The tokens are composed of three parts:
- header
- payloads
- signature
The header and payload are Base64-encoded JSON strings, and the signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.
JWT is made and kept up to date by Okta’s Auth0. It is used by more than 22,000 projects and is downloaded more than 10 million times a week from the npm software registry.
The main risk of a successful exploit that could lead to remote code execution on a target server in regards to the severe security flaw found in the “jsonwebtoken” library is that it could allow an attacker to run malicious code on a server, breaking confidentiality and integrity guarantees, and potentially enabling the attacker to overwrite arbitrary files on the host and perform any action of their choosing using a poisoned secret key.
The Secret Management Process Weakness in jsonwebtoken Library
The secretOrPublicKey can be exploited by an attacker who would need to exploit a flaw within the secret management process. JSON Web Tokens (JWT) are signed and verified using the secretOrPublicKey value. If an attacker is able to control this value, they can create a malicious JWT with a payload of their choosing, and the server will accept it as a valid token because it is signed with the compromised secretOrPublicKey. This can lead to remote code execution on the server if the attacker crafts the payload in a specific way. The exact method by which the attacker can exploit the secret management process is not specified in the article, but it is noted that it is a crucial step in the exploit of this vulnerability.
How is JWT an important part of an API?
APIs (application programming interfaces) often use JSON Web Tokens (JWT) to authenticate and authorize clients. JWT makes it possible for the client and the server to securely send information to each other without storing any information about the client session.
When a client sends a request to an API, it sends the JWT along with the request. The server can then decode the JWT, check the signature to ensure that it was not tampered with, and validate the claims in the JWT. The claims in the JWT usually include information about the user, such as the user’s ID and the permissions they have. With this information, the server can figure out if the client has the right permissions to access the requested resource.
JWT is also a good choice for securing an API because it is lightweight and easy to use. It doesn’t need any extra libraries or dependencies, and any application can easily work with it.
Overall, JWT is a safe and efficient way to authenticate and authorize API clients, which makes it an important part of API security.
Mitigating this CVE with BLST Security solution
The BLST Security solution is at the forefront of API security and observability, which will align organizations of any size with their business goals.
Using our special auth analysis BLST solution is able to provide you with numerous authentication anomalies and vulnerabilities
The fact that you have the ability to map, through visualization, the volume of API calls and the associated endpoints allows IT and security resources to make informed decisions concerning the value of keeping an endpoint or component operational as well as how to reduce the risk by minimizing the attack surface.
