Homepage
About Snyk

Use of a Broken or Risky Cryptographic Algorithm Affecting jsonwebtoken package, versions <9.0.0

0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High

    Threat Intelligence

    EPSS 0.06% (26th percentile)
Expand this section
NVD
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-JSONWEBTOKEN-3180026
  • published 22 Dec 2022
  • disclosed 22 Dec 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 22 Dec 2022

CVE-2022-23539 Open this link in a new tab
CWE-327 Open this link in a new tab

How to fix?

Upgrade jsonwebtoken to version 9.0.0 or higher.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Exploitability

Users are affected when using an algorithm and a key type other than the combinations mentioned below:

EC: ES256, ES384, ES512

RSA: RS256, RS384, RS512, PS256, PS384, PS512

RSA-PSS: PS256, PS384, PS512

And for Elliptic Curve algorithms:

ES256: prime256v1

ES384: secp384r1

ES512: secp521r1

Workaround

Users who are unable to upgrade to the fixed version can use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.