CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
6.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.04367%
CWE
Published
12/22/2022
Updated
2/13/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
jsonwebtoken | npm | < 9.0.0 | 9.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the jwt.verify() function's handling of algorithm validation. The commit diff shows security fixes in verify.js that add asymmetric key validation and remove default 'none' algorithm support. The CHANGELOG explicitly states the verify() function previously accepted unsigned tokens by default. The CVE description confirms the attack scenario requires jwt.verify() to be called without algorithm specification and with falsy secret/key - conditions directly tied to this function's implementation. The added validateAsymmetricKey checks in the patched version further confirm the vulnerability existed in the verification flow.