Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jsonwebtoken for critical level security issues #1575

Merged
merged 1 commit into from Jan 4, 2023
Merged

Upgrade jsonwebtoken for critical level security issues #1575

merged 1 commit into from Jan 4, 2023

Conversation

seratch
Copy link
Member

@seratch seratch commented Dec 27, 2022

Summary

$ npm audit
# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.0, which is a breaking change
node_modules/jsonwebtoken

1 high severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Requirements (place an x in each [ ])

@seratch seratch added security pkg:oauth applies to `@slack/oauth-helper` labels Dec 27, 2022
@seratch seratch added this to the oauth@2.6.0 milestone Dec 27, 2022
@seratch seratch self-assigned this Dec 27, 2022
@seratch seratch changed the title Upgrade jsonwebtoken and mocha for critical level security issues Upgrade jsonwebtoken for critical level security issues Dec 27, 2022
@seratch seratch mentioned this pull request Dec 28, 2022
Closed
@Fonger
Copy link

Fonger commented Jan 4, 2023
edited

No third parameter options { algorithm: [...] } provided so the default ['none'] algorithm may be applied here
It is highly possible that this vulnerability affects @slack/oauth.

node-slack-sdk/packages/oauth/src/state-stores/clear-state-store.ts

Line 39 in 8fc8cc6

decoded = verify(state, this.stateSecret) as StateObj;

@srajiang srajiang self-requested a review January 4, 2023 17:45
@srajiang srajiang merged commit 547d239 into slackapi:main Jan 4, 2023
@kis kis mentioned this pull request Jan 6, 2023
Closed
10 tasks
@seratch seratch deleted the oauth-security branch February 7, 2023 10:28
@seratch seratch mentioned this pull request Feb 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srajiang srajiang srajiang approved these changes

Assignees

@seratch seratch

Labels
pkg:oauth applies to `@slack/oauth-helper` security
Projects
None yet
Milestone
oauth@2.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@seratch @Fonger @srajiang