What is the severity of CVE-2022-23540?

CVE-2022-23540 has been rated with a high severity level due to the potential for signature validation bypass.

How do I fix CVE-2022-23540?

To fix CVE-2022-23540, upgrade the jsonwebtoken library to version 9.0.0 or later.

Which versions are affected by CVE-2022-23540?

CVE-2022-23540 affects jsonwebtoken versions 8.5.1 and earlier.

What impact does CVE-2022-23540 have on applications?

CVE-2022-23540 can allow attackers to bypass signature verification, compromising the security of applications relying on the jsonwebtoken library.

Which products utilize vulnerable versions related to CVE-2022-23540?

Affected products include Auth0's jsonwebtoken library and IBM's Cognos Analytics versions up to 12.0.2.

Vulnerability/
CVE-2022-23540

high

7.6

CWE

347 287 327

22/12/2022

13/2/2025

CVE-2022-23540: jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

First published: Thu Dec 22 2022(Updated: )

# Overview In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. # Am I affected? You will be affected if all the following are true in the `jwt.verify()` function: - a token with no signature is received - no algorithms are specified - a falsy (e.g. null, false, undefined) secret or key is passed # How do I fix it? Update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. # Will the fix impact my users? There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/jsonwebtoken	<9.0.0	9.0.0
IBM Cognos Analytics	<=12.0-12.0.2
IBM Cognos Analytics	<=11.2.0-11.2.4 FP2
npm/jsonwebtoken	<9.0.0	9.0.0
jsonwebtoken	<=8.5.1

Remedy

https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2022-23540?
CVE-2022-23540 has been rated with a high severity level due to the potential for signature validation bypass.
How do I fix CVE-2022-23540?
To fix CVE-2022-23540, upgrade the jsonwebtoken library to version 9.0.0 or later.
Which versions are affected by CVE-2022-23540?
CVE-2022-23540 affects jsonwebtoken versions 8.5.1 and earlier.
What impact does CVE-2022-23540 have on applications?
CVE-2022-23540 can allow attackers to bypass signature verification, compromising the security of applications relying on the jsonwebtoken library.
Which products utilize vulnerable versions related to CVE-2022-23540?
Affected products include Auth0's jsonwebtoken library and IBM's Cognos Analytics versions up to 12.0.2.

collector/redhat-cve
agent/type
agent/first-publish-date
agent/remedy
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-23540
agent/software-canonical-lookup
agent/severity
agent/title
collector/ibm-support
source/IBM
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-qwph-4952-7xr6
agent/references
agent/description
agent/event
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/trending
agent/source
agent/last-modified-date
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
collector/nvd-api
package-manager/redhat
vendor/ibm
canonical/ibm cognos analytics
version/ibm cognos analytics/12.0-12.0.2
version/ibm cognos analytics/11.2.0-11.2.4 fp2
package-manager/npm
vendor/auth0
canonical/jsonwebtoken
version/jsonwebtoken/8.5.1