7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23529

CVE-2022-23529: jsonwebtoken has insecure input validation in jwt.verify function

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

This security issue is a concern when the jsonwebtoken library is used in an insecure way. Users are affected only if they allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control. In this scenario, if all the prerequisites are met, the issue may be exploitable. The source of this risk in this scenario would be in the calling code, and not in the library itself.

How do I fix it?

Users of jsonwebtoken 8.5.1 and earlier are encouraged to update to the latest version, 9.0.0, which presents safer code and important security checks that fixes this security flaw and others and prevents misuse of the package.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23529

CVE-2022-23529:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jsonwebtoken	npm	<= 8.5.1	9.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation in the jwt.verify function's handling of the secretOrPublicKey parameter. The commit diff shows critical security checks were added in verify.js (via validateAsymmetricKey) to enforce algorithm-key type alignment. Prior to these patches, attackers could manipulate key parameters to trigger insecure code paths. The direct modification of verify.js in the security fix and CVE description explicitly implicate this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23529: jsonwebtoken has insecure input validation in jwt.verify function

Overview

Am I affected?

How do I fix it?

CVE-2022-23529:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-23529: jsonwebtoken has insecure input validation in jwt.verify function

Overview

Am I affected?

How do I fix it?

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.6

7.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI