Improper Input Validation The advisory has been revoked - it doesn't affect any version of package org.webjars.npm:jsonwebtoken (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGWEBJARSNPM-3180021
- published22 Dec 2022
- disclosed22 Dec 2022
- creditPalo Alto Networks
Introduced: 22 Dec 2022
CVE-2022-23529 (opens in a new tab)Amendment
This was deemed not a vulnerability.
Overview
Affected versions of this package are vulnerable to Improper Input Validation.
Revocation
This vulnerability was revoked after ongoing community discussion due to the unreasonable exploitability requirements stated below. The pre-requisite being that an attacker would have to have the ability to modify the source code in order to execute this vulnerability.
Original Description
If a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
Exploitability
Users are affected only if they are allowing untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control.
Note: CVE-2022-23529 has been retracted because it was found to be invalid. The issue is not a vulnerability.