CVE-2023-48238: A Critical Vulnerability in json-web-token for Node.js
In the realm of cybersecurity, JSON Web Tokens (JWTs) have become an indispensable tool for secure communication and data exchange. However, even the most widely used technologies can harbor vulnerabilities, and a recent discovery in the popular json-web-token library for Node.js underscores this reality.
This high-severity vulnerability tracked as CVE-2023-48238 and assigned a CVSS score of 7.5, has the potential to enable malicious actors to launch JWT algorithm confusion attacks. The vulnerability, unearthed by security researcher PinkDraconian, stems from the library’s handling of the algorithm used to verify JWT signatures.
The crux of the issue lies in line 86 of the ‘index.js’ file, where the algorithm for verifying the signature is extracted directly from the JWT token itself. At this stage, the token remains unverified, making it a source of untrustworthy information.
An attacker exploiting this vulnerability could craft a malicious JWT token containing the HS256 algorithm, even if the victim application employs a different algorithm. This forged token, when signed with the victim’s public RSA key, could potentially trick the application into accepting the attacker’s arbitrary payload.
The impact of this vulnerability is particularly concerning given the widespread adoption of json-web-token, with over 4000 weekly downloads and over 2700 GitHub repositories relying on it. Applications that utilize the RS256 algorithm are especially vulnerable to this attack.
Fortunately, two effective solutions exist to mitigate the CVE-2023-48238 vulnerability:
Modify the signature of the decode function: By explicitly setting the algorithm within the decode function, the application can prevent the library from relying on the untrusted algorithm embedded in the JWT token.
Validate the secret key: Within the decode function, check whether the secret key could be a public key. If so, explicitly set the key to a public key to ensure proper validation.
By implementing either of these solutions, developers can effectively shield their applications from the JWT algorithm confusion attack and safeguard the integrity of their data and communications. Vigilant patching and proactive security measures remain crucial in the ongoing battle against evolving cybersecurity threats.