Skip to content

Security flaw found in Okta’s Auth0’s JWT library allowing RCE

  • by
  • 2 min read

A high-severity flaw has been disclosed in the open-source jsonwebtoken (JWT) library made by Auth0, owned by Okta. The vulnerability allows remote code execution on a target server and is tracked as CVE-2022-23529 with a CVSS score of 7.6. 

The library is essentially a JavaScript module that allows users to generate, decrypt and verify JSON web tokens to authenticate and authorise between a server and a client device. 

The issue currently impacts every library version with over 10 million weekly downloads on NPM and is used across 22,000 projects. Popular sites that use Auth0’s security libraries include Zoom, AMD, WeTransfer and Polaris. 

The vulnerability itself was discovered by Palo Alto Networks Unit 42 researcher Artur Oleyarsh. The issue was reported to Auth0 on July 13, 2022, and was fixed in version 9.0.0, released on December 21, 2022. 

An arbitrary text file is written by the poisoned security key. | Source: Unit 42

Because of a string checking and conversion bug in the library’s secret management process, a poisoned secret can bypass authorisation and run arbitrary code on the server, potentially allowing threat actors to overwrite any files on the host and take control by elevating privileges or stealing credentials. 

Following version 9.0.0 code, this vulnerability has been fixed by removing the vulnerable code and adding checks for the security key to catch any malicious or poisoned keys before any other code can be executed. 

Open-source libraries like JWT often come under the scanner of threat actors actively looking for ways to bypass authentication measures. Besides, bugs in popularly used libraries can lead to bigger problems, including data breaches and remote takeovers for the companies, products and services using them as authentication means. 

In the News: Fairphone 2 will stop receiving updates after 7 years in March 2023

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: