Improper Input Validation The advisory has been revoked - it doesn't affect any version of package jsonwebtoken Open this link in a new tab
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-JSONWEBTOKEN-3180020
- published 22 Dec 2022
- disclosed 22 Dec 2022
- credit Palo Alto Networks
Introduced: 22 Dec 2022
CVE-2022-23529 Open this link in a new tabAmendment
This was deemed not a vulnerability.
Overview
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)
Affected versions of this package are vulnerable to Improper Input Validation.
Revocation
This vulnerability was revoked after ongoing community discussion due to the unreasonable exploitability requirements stated below. The pre-requisite being that an attacker would have to have the ability to modify the source code in order to execute this vulnerability.
Original Description
If a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
Exploitability
Users are affected only if they are allowing untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control.
Note: CVE-2022-23529 has been retracted because it was found to be invalid. The issue is not a vulnerability.