Security News > 2023 > January > Severe Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken library that, if successfully exploited, could lead to remote code execution on a target server.

"By exploiting this vulnerability, attackers could achieve remote code execution on a server verifying a maliciously crafted JSON web token request," Palo Alto Networks Unit 42 researcher Artur Oleyarsh said in a Monday report.

"With that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process," Oleyarsh explained.

As open source software increasingly emerges as a lucrative initial access pathway for threat actors to stage supply chain attacks, it's crucial that vulnerabilities in such tools are proactively identified, mitigated, and patched by downstream users.

Making matters worse is the fact that cybercriminals have become much faster at exploiting newly revealed flaws, drastically shrinking the time between a patch release and exploit availability.

According to Microsoft, it only takes 14 days on average for an exploit to be detected in the wild after public disclosure of a bug.

News URL

https://thehackernews.com/2023/01/critical-security-flaw-found-in.html