7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15084

GHSA ID

GHSA-6g6m-m6h5-w9gf

EPSS Score

0.20153%

CWE

CWE-285

Published

6/30/2020

Updated

2/2/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15084

CVE-2020-15084: Authorization bypass in express-jwt

Overview

Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using express-jwt AND You do not have algorithms configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the secret.

How to fix that?

Specify algorithms in the express-jwt configuration. The following is an example of a proper configuration

const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${DOMAIN}/.well-known/jwks.json`
  }),
  // Validate the audience and the issuer.
  audience: process.env.AUDIENCE,
  issuer: `https://${DOMAIN}/`,
  // restrict allowed algorithms
  algorithms: ['RS256']
});

Will this update impact my users?

The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes algorithms a required configuration.

Credit

IST Group

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15084

GHSA ID

GHSA-6g6m-m6h5-w9gf

EPSS Score

0.20153%

CWE

CWE-285

Published

6/30/2020

Updated

2/2/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express-jwt	npm	<= 5.3.3	6.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing algorithm enforcement in the core middleware setup. The commit diff shows critical validation was added in lib/index.js (lines 22-24) to make 'algorithms' required. Before this fix, the function processing() JWT configuration didn't validate the presence of the 'algorithms' array, which is essential for preventing algorithm confusion attacks when using JWKS-based verification. This matches the CVE description of authorization bypass through missing algorithm restrictions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w V*rsions ***or* *n* in*lu*in* *.*.*, w* *r* not *n*or*in* t** ***l*orit*ms** *ntry to ** sp**i*i** in t** *on*i*ur*tion. W**n ***l*orit*ms** is not sp**i*i** in t** *on*i*ur*tion, wit* t** *om*in*tion o* jwks-rs*, it m*y l*** to *ut*oriz

Reasoning

T** vuln*r**ility st*ms *rom missin* *l*orit*m *n*or**m*nt in t** *or* mi**l*w*r* s*tup. T** *ommit *i** s*ows *riti**l `v*li**tion` w*s ***** in `li*/in**x.js` (lin*s **-**) to m*k* '*l*orit*ms' r*quir**. ***or* t*is *ix, t** *un*tion `pro**ssin*()`

7.7

Basic Information

Concerned about an active attack path?

CVE-2020-15084: Authorization bypass in express-jwt

Overview

Am I affected?

How to fix that?

Will this update impact my users?

Credit

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI