Miggo Logo

CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

6.4

CVSS Score
3.1

Basic Information

EPSS Score
0.04367%
Published
12/22/2022
Updated
2/13/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
jsonwebtokennpm< 9.0.09.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the jwt.verify() function's handling of algorithm validation. The commit diff shows security fixes in verify.js that add asymmetric key validation and remove default 'none' algorithm support. The CHANGELOG explicitly states the verify() function previously accepted unsigned tokens by default. The CVE description confirms the attack scenario requires jwt.verify() to be called without algorithm specification and with falsy secret/key - conditions directly tied to this function's implementation. The added validateAsymmetricKey checks in the patched version further confirm the vulnerability existed in the verification flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Ov*rvi*w In v*rsions <=*.*.* o* jsonw**tok*n li*r*ry, l**k o* *l*orit*m ***inition *n* * **lsy s**r*t or k*y in t** `jwt.v*ri*y()` *un*tion **n l*** to si*n*tur* v*li**tion *yp*ss *u* to ****ultin* to t** `non*` *l*orit*m *or si*n*tur* v*ri*i**tio

Reasoning

T** vuln*r**ility st*ms *rom t** jwt.v*ri*y() *un*tion's **n*lin* o* *l*orit*m v*li**tion. T** *ommit *i** s*ows s**urity *ix*s in v*ri*y.js t**t *** *symm*tri* k*y v*li**tion *n* r*mov* ****ult 'non*' *l*orit*m support. T** ***N**LO* *xpli*itly st*t