Find, fix and prevent vulnerabilities in your code.
medium severity
- Vulnerable module: jsonwebtoken
- Introduced through: jsonwebtoken@8.5.1
Detailed paths
-
Introduced through: trailpack-passport@jaumard/trailpack-passport#dc378d6cb8dd224ae6ac12b55a1faeee6e5556f5 › jsonwebtoken@8.5.1Remediation: Upgrade to jsonwebtoken@9.0.0.
Overview
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)
Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Exploitability
Users are affected when using an algorithm and a key type other than the combinations mentioned below:
EC: ES256, ES384, ES512
RSA: RS256, RS384, RS512, PS256, PS384, PS512
RSA-PSS: PS256, PS384, PS512
And for Elliptic Curve algorithms:
ES256: prime256v1
ES384: secp384r1
ES512: secp521r1
Workaround
Users who are unable to upgrade to the fixed version can use the allowInvalidAsymmetricKeyTypes
option to true
in the sign()
and verify()
functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.
Remediation
Upgrade jsonwebtoken
to version 9.0.0 or higher.
References
medium severity
- Vulnerable module: jsonwebtoken
- Introduced through: jsonwebtoken@8.5.1
Detailed paths
-
Introduced through: trailpack-passport@jaumard/trailpack-passport#dc378d6cb8dd224ae6ac12b55a1faeee6e5556f5 › jsonwebtoken@8.5.1Remediation: Upgrade to jsonwebtoken@9.0.0.
Overview
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)
Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey
argument due to misconfigurations of the key retrieval function jwt.verify()
. Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.
Note:
This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in jwt.verify()
implementation with the same key retrieval function.
Remediation
Upgrade jsonwebtoken
to version 9.0.0 or higher.
References
medium severity
- Vulnerable module: jsonwebtoken
- Introduced through: jsonwebtoken@8.5.1
Detailed paths
-
Introduced through: trailpack-passport@jaumard/trailpack-passport#dc378d6cb8dd224ae6ac12b55a1faeee6e5556f5 › jsonwebtoken@8.5.1Remediation: Upgrade to jsonwebtoken@9.0.0.
Overview
jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)
Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the jwt.verify()
function can lead to signature validation bypass due to defaulting to the none
algorithm for signature verification.
Exploitability
Users are affected only if all of the following conditions are true for the jwt.verify()
function:
A token with no signature is received.
No algorithms are specified.
A falsy (e.g.,
null
,false
,undefined
) secret or key is passed.
Remediation
Upgrade jsonwebtoken
to version 9.0.0 or higher.
References
medium severity
- Vulnerable module: passport
- Introduced through: passport@0.4.1
Detailed paths
-
Introduced through: trailpack-passport@jaumard/trailpack-passport#dc378d6cb8dd224ae6ac12b55a1faeee6e5556f5 › passport@0.4.1Remediation: Upgrade to passport@0.6.0.
Overview
passport is a Simple, unobtrusive authentication for Node.js.
Affected versions of this package are vulnerable to Session Fixation. When a user logs in or logs out, the session is regenerated instead of being closed.
Remediation
Upgrade passport
to version 0.6.0 or higher.