We use cookies to improve your experience on our site.
AVID-2026-R0963
Description
jsonwebtoken unrestricted key type could lead to legacy keys usage (CVE-2022-23539)
Details
Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.
Reason for inclusion in AVID: CVE-2022-23539 describes an insecure key-type handling vulnerability in the jsonwebtoken library (node-jsonwebtoken) that allows legacy/insecure key types to be used for signature verification. This is a software vulnerability in a widely used dependency that can appear in AI deployment stacks (token authentication, signing/verifying tokens for ML services, model serving, APIs). It constitutes a supply-chain risk in the software components used to build/run AI systems. It is not hardware/firmware-only. The report provides the CVE, affected versions, fix (upgrade to 9.0.0), and references, satisfying sufficient evidence.
References
- NVD entry
- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- https://security.netapp.com/advisory/ntap-20240621-0007/
Affected or Relevant Artifacts
- Developer: auth0
- Deployer: auth0
- Artifact Details:
| Type | Name |
|---|---|
| System | node-jsonwebtoken |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N |
| Base Score | 5.9 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-327 | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-12-22
- Version: 0.3.3
- AVID Entry