🚨 [security] Upgrade jsonwebtoken: 8.5.1 → 9.0.0 (major) #46

depfu · 2022-12-22T04:09:08Z

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jsonwebtoken (8.5.1 → 9.0.0) · Repo · Changelog

Security Advisories 🚨

🚨 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview

Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens.

Am I affected?

You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

There is no impact for end users

🚨 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if you do not specify algorithms in the jwt.verify() function

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

🚨 jsonwebtoken unrestricted key type could lead to legacy keys usage

Overview

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Am I affected?

You are affected if you are using an algorithm and a key type other than the combinations mentioned below

Key type algorithm

ec ES256, ES384, ES512

rsa RS256, RS384, RS512, PS256, PS384, PS512

rsa-pss PS256, PS384, PS512

And for Elliptic Curve algorithms:

alg Curve

ES256 prime256v1

ES384 secp384r1

ES512 secp521r1

How do I fix it?

Update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.

🚨 jsonwebtoken has insecure input validation in jwt.verify function

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

Commits

See the full diff on Github. The new version differs by 17 commits:

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

vercel · 2022-12-22T04:09:10Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated
notiolink	✅ Ready (Inspect)	Visit Preview	💬 Add your feedback	Feb 11, 2023 at 0:06AM (UTC)

theodorusclarence · 2022-12-22T05:15:02Z

@depfu rebase

depfu bot added the depfu label Dec 22, 2022

vercel bot deployed to Preview December 22, 2022 04:09 View deployment

depfu bot force-pushed the depfu/update/yarn/jsonwebtoken-9.0.0 branch from 93fc502 to 3da99c3 Compare December 22, 2022 05:15

vercel bot deployed to Preview December 22, 2022 05:17 View deployment

Update jsonwebtoken to version 9.0.0

feff847

depfu bot force-pushed the depfu/update/yarn/jsonwebtoken-9.0.0 branch from 3da99c3 to feff847 Compare February 11, 2023 12:05

vercel bot deployed to Preview February 11, 2023 12:06 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🚨 [security] Upgrade jsonwebtoken: 8.5.1 → 9.0.0 (major) #46

🚨 [security] Upgrade jsonwebtoken: 8.5.1 → 9.0.0 (major) #46

depfu bot commented Dec 22, 2022 •

edited

vercel bot commented Dec 22, 2022 •

edited

theodorusclarence commented Dec 22, 2022

Key type	algorithm
ec	ES256, ES384, ES512
rsa	RS256, RS384, RS512, PS256, PS384, PS512
rsa-pss	PS256, PS384, PS512

🚨 [security] Upgrade jsonwebtoken: 8.5.1 → 9.0.0 (major) #46

Are you sure you want to change the base?

🚨 [security] Upgrade jsonwebtoken: 8.5.1 → 9.0.0 (major) #46

Conversation

depfu bot commented Dec 22, 2022 • edited

What changed?

✳️ jsonwebtoken (8.5.1 → 9.0.0) · Repo · Changelog

🚨 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

🚨 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

🚨 jsonwebtoken unrestricted key type could lead to legacy keys usage

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

🚨 jsonwebtoken has insecure input validation in jwt.verify function

Overview

Am I affected?

How do I fix it?

Will the fix impact my users?

Credits

vercel bot commented Dec 22, 2022 • edited

theodorusclarence commented Dec 22, 2022

depfu bot commented Dec 22, 2022 •

edited

vercel bot commented Dec 22, 2022 •

edited