CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken

Overview
Am I affected?
How to fix that?
Will this update impact my users?

Published: Dec 21, 2022 CVE numbers: CVE-2022-23539, CVE-2022-23541, CVE-2022-23540

Overview

Auth0 has released a new major version of the jsonwebtoken library to address four vulnerabilities. We recommend you review the following security advisories and upgrade to the new major version:

Unrestricted key type could lead to legacy keys usage: CVE-2022-23539
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC: CVE-2022-23541
Insecure default algorithm in .verify() could lead to signature validation bypass: CVE-2022-23540

Am I affected?

You could be affected if you are using jsonwebtoken in any version <= 8.5.1 depending on the configuration. Please consult the individual security advisories for more details.

How to fix that?

If you are using jsonwebtoken, upgrade to version 9.0.0 or higher. You may need some additional configuration. Please consult the individual security advisories for more details.

Will this update impact my users?

Updating to version 9.0.0 may impact your users depending on your configuration and application needs. Please consult the individual security advisories for more details.

Security Bulletins

CVE-2022-23505: Security Update for passport-wsfed-saml2 Library

⌘I