6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23540

GHSA ID

GHSA-qwph-4952-7xr6

EPSS Score

0.04367%

CWE

CWE-287

Published

12/22/2022

Updated

2/13/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23540

CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function:

a token with no signature is received
no algorithms are specified
a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23540

GHSA ID

GHSA-qwph-4952-7xr6

EPSS Score

0.04367%

CWE

CWE-287

Published

12/22/2022

Updated

2/13/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jsonwebtoken	npm	< 9.0.0	9.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the jwt.verify() function's handling of algorithm validation. The commit diff shows security fixes in verify.js that add asymmetric key validation and remove default 'none' algorithm support. The CHANGELOG explicitly states the verify() function previously accepted unsigned tokens by default. The CVE description confirms the attack scenario requires jwt.verify() to be called without algorithm specification and with falsy secret/key - conditions directly tied to this function's implementation. The added validateAsymmetricKey checks in the patched version further confirm the vulnerability existed in the verification flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Ov*rvi*w In v*rsions <=*.*.* o* jsonw**tok*n li*r*ry, l**k o* *l*orit*m ***inition *n* * **lsy s**r*t or k*y in t** `jwt.v*ri*y()` *un*tion **n l*** to si*n*tur* v*li**tion *yp*ss *u* to ****ultin* to t** `non*` *l*orit*m *or si*n*tur* v*ri*i**tio

Reasoning

T** vuln*r**ility st*ms *rom t** jwt.v*ri*y() *un*tion's **n*lin* o* *l*orit*m v*li**tion. T** *ommit *i** s*ows s**urity *ix*s in v*ri*y.js t**t *** *symm*tri* k*y v*li**tion *n* r*mov* ****ult 'non*' *l*orit*m support. T** ***N**LO* *xpli*itly st*t

6.4

Basic Information

Concerned about an active attack path?

CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI