Auth0 fixed an RCE vulnerability in the popular open source library JsonWebToken, which was used in more than 22,000 projects and downloaded more than 36 million times a month on NPM.

JsonWebToken is an open source library used to create, sign and validate JSON web tokens, used in projects involving Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP and many others. Developed and maintained by Okta.

The vulnerability is monitored by CVE-2022-23529 and affects versions of JsonWebToken up to 9.0.0. Its successful operation may allow attackers to bypass authentication mechanisms, gain access to confidential information, and steal or modify data.

The vulnerability is not critical and has a CVSS score of 7.6, since it requires an attacker to compromise the process of secret management between the application and the JsonWebToken server, which complicates its use.

CVE-2022-23529 was discovered on July 13, 2022 by Unit 42 Palo Alto Networks resellers as a result of checking the malicious JWS token.

The researchers found that attackers can remotely execute code on servers thanks to the verify() JsonWebToken method, which is used to verify JWT and return decoded information.

In view of the lack of verification of one of the secretOrPublicKey parameters, attackers can send a specially created object to perform arbitrary file recording on the target machine.

At the same time, using the same vulnerability, but with a different payload in the request, you can practically achieve remote code execution.

The Auth0 team confirmed the problem in August 2022 and, after painstaking work to fix it, released a patch with JsonWebToken version 9.0.0 on December 21, 2022.

The fix includes the implementation of additional checks of the defective parameter.

Despite the complexity of practical operation, the vulnerability will pose a serious threat to the supply chain for a long period of time until most projects are upgraded to a secure version.

In addition, given the wide popularity of JsonWebToken and the number of potential targets, the criminal potential and enthusiasm of the attackers certainly should not be underestimated.