Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-JSONWEBTOKEN-3180026
- published 22 Dec 2022
- disclosed 22 Dec 2022
- credit Unknown
Introduced: 22 Dec 2022CVE-2022-23539 Open this link in a new tab
How to fix?
jsonwebtoken to version 9.0.0 or higher.
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric) Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Users are affected when using an algorithm and a key type other than the combinations mentioned below:
EC: ES256, ES384, ES512
RSA: RS256, RS384, RS512, PS256, PS384, PS512
RSA-PSS: PS256, PS384, PS512
And for Elliptic Curve algorithms:
Users who are unable to upgrade to the fixed version can use the
allowInvalidAsymmetricKeyTypes option to
true in the
verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.