Miggo Logo

CVE-2020-15084: Authorization bypass in express-jwt

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.20153%
Published
6/30/2020
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
express-jwtnpm<= 5.3.36.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing algorithm enforcement in the core middleware setup. The commit diff shows critical validation was added in lib/index.js (lines 22-24) to make 'algorithms' required. Before this fix, the function processing() JWT configuration didn't validate the presence of the 'algorithms' array, which is essential for preventing algorithm confusion attacks when using JWKS-based verification. This matches the CVE description of authorization bypass through missing algorithm restrictions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w V*rsions ***or* *n* in*lu*in* *.*.*, w* *r* not *n*or*in* t** ***l*orit*ms** *ntry to ** sp**i*i** in t** *on*i*ur*tion. W**n ***l*orit*ms** is not sp**i*i** in t** *on*i*ur*tion, wit* t** *om*in*tion o* jwks-rs*, it m*y l*** to *ut*oriz

Reasoning

T** vuln*r**ility st*ms *rom missin* *l*orit*m *n*or**m*nt in t** *or* mi**l*w*r* s*tup. T** *ommit *i** s*ows *riti**l `v*li**tion` w*s ***** in `li*/in**x.js` (lin*s **-**) to m*k* '*l*orit*ms' r*quir**. ***or* t*is *ix, t** *un*tion `pro**ssin*()`