Security News > 2023 > January > Auth0 fixes RCE flaw in JsonWebToken library used by 22,000 projects
Auth0 fixed a remote code execution vulnerability in the immensely popular 'JsonWebToken' open-source library used by over 22,000 projects and downloaded over 36 million times per month on NPM. The library is used in open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP, and many more.
The JsonWebToken project is an open-source library used to create, sign, and verify JSON Web tokens.
The project is developed and maintained by Okta Auth0 and has over 9 million weekly downloads on the NPM package repository and over 22,000 projects on the library, reflecting its massive adoption.
Unit 42 warns that threat actors would first need to compromise the secret management process between an app and a JsonWebToken server, making it harder to exploit and lowering the severity rating to 7.6/10. The CVE-2022-23529 vulnerability was discovered by Palo Alto Networks' Unit 42 on July 13th, 2022, and was reported to Auth0 immediately.
The Auth0 team confirmed they were working on a solution in August 2022, and eventually, on December 21, 2022, a patch was released with JsonWebToken version 9.0.0.
Due to JsonWebToken being such a broadly used open-source library, the flaw has massive supply chain repercussions, and it will continue to have for an extended period until most projects have upgraded to a secure version.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-21 | CVE-2022-23529 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. | 0.0 |