CVE-2022-25898
First published: Fri Jul 01 2022(Updated: )
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jsrsasign Project Jsrsasign | >=4.8.0<10.5.25 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41
- https://github.com/kjur/jsrsasign/releases/tag/10.5.25
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896
- https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
Frequently Asked Questions
What is CVE-2022-25898?
CVE-2022-25898 is a vulnerability in the package jsrsasign before version 10.5.25 which allows for improper verification of cryptographic signatures.
How severe is CVE-2022-25898?
CVE-2022-25898 is considered critical with a severity score of 9.8.
Which software versions are affected by CVE-2022-25898?
The vulnerability affects jsrsasign package versions between 4.8.0 and 10.5.24.
How can I fix CVE-2022-25898?
To fix CVE-2022-25898, upgrade to jsrsasign version 10.5.25 or later.
Are there any workarounds for CVE-2022-25898?
One workaround is to validate the JWS or JWT signature to ensure it has proper encoding.
- collector/nvd-index
- vendor/jsrsasign project
- canonical/jsrsasign project jsrsasign
- version/jsrsasign project jsrsasign/4.8.0