A high-severity flaw has been disclosed in the open-source jsonwebtoken (JWT) library made by Auth0, owned by Okta. The vulnerability allows remote code execution on a target server and is tracked as CVE-2022-23529 with a CVSS score of 7.6.
The issue currently impacts every library version with over 10 million weekly downloads on NPM and is used across 22,000 projects. Popular sites that use Auth0’s security libraries include Zoom, AMD, WeTransfer and Polaris.
The vulnerability itself was discovered by Palo Alto Networks Unit 42 researcher Artur Oleyarsh. The issue was reported to Auth0 on July 13, 2022, and was fixed in version 9.0.0, released on December 21, 2022.
Because of a string checking and conversion bug in the library’s secret management process, a poisoned secret can bypass authorisation and run arbitrary code on the server, potentially allowing threat actors to overwrite any files on the host and take control by elevating privileges or stealing credentials.
Following version 9.0.0 code, this vulnerability has been fixed by removing the vulnerable code and adding checks for the security key to catch any malicious or poisoned keys before any other code can be executed.
Open-source libraries like JWT often come under the scanner of threat actors actively looking for ways to bypass authentication measures. Besides, bugs in popularly used libraries can lead to bigger problems, including data breaches and remote takeovers for the companies, products and services using them as authentication means.