Improper Input Validation The advisory has been revoked - it doesn't affect any version of package jsonwebtoken  (opens in a new tab)


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-JSONWEBTOKEN-3180020
  • published22 Dec 2022
  • disclosed22 Dec 2022
  • creditPalo Alto Networks

Introduced: 22 Dec 2022

CVE-2022-23529  (opens in a new tab)
CWE-20  (opens in a new tab)

Amendment

This was deemed not a vulnerability.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Input Validation.

Revocation

This vulnerability was revoked after ongoing community discussion due to the unreasonable exploitability requirements stated below. The pre-requisite being that an attacker would have to have the ability to modify the source code in order to execute this vulnerability.

Original Description

If a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Exploitability

Users are affected only if they are allowing untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that they control.

Note: CVE-2022-23529 has been retracted because it was found to be invalid. The issue is not a vulnerability.