A new high-severity vulnerability has been found in the popular JsonWebToken open-source JavaScript package.
By exploiting the flaw, an attacker could perform remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request, explained Palo Alto Networks in a Monday advisory.
From a technical standpoint, JsonWebToken, which is developed and maintained by Auth0, allows developers to verify/sign JWTs and is principally used for authorization and authentication purposes.
At the time of writing, the package has over nine million weekly downloads and over 20,000 dependent projects. Because of this, Palo Alto Networks security researcher Artur Oleyarsh said the team immediately warned Auth0 when it first discovered the vulnerability (tracked CVE-2022-23529) in July 2022.
"Typically, attacks on JWTs will involve different forgery techniques abusing buggy JWT implementations," Oleyarsh wrote.
"These kinds of attacks have severe consequences because, in most cases, a successful attack allows an attacker to bypass authentication and authorization mechanisms to access confidential information or steal and/or modify data."
At the same time, the Palo Alto Networks researcher clarified that to exploit the vulnerability, an attacker must also take advantage of a flaw within the secret management process. Due to the complexity of the vulnerability, Palo Alto Networks suggested a CVSS score of 7.6.
According to the security expert, the Auth0 engineering team provided a patch for the flaw in December 2022.
"We would like to thank the Auth0 team for professionally handling the disclosure process and providing a patch for the reported vulnerability," Oleyarsh added.
More generally, the cybersecurity expert said security awareness is crucial when using open-source software.
"Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it's something the open source community can take part in."
The vulnerability comes amidst a gargantuan increase in malicious activity targeting upstream open-source code repositories in the last months of 2022.