Skip to content

fix: Update jsonwebtoken to v9.0.0 #2025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 22, 2022
Merged

fix: Update jsonwebtoken to v9.0.0 #2025

merged 2 commits into from
Dec 22, 2022

Conversation

lahirumaramba
Copy link
Member

@lahirumaramba lahirumaramba commented Dec 22, 2022
edited
Loading

Bumps jsonwebtoken from 8.5.1 to 9.0.0.

  • The verify() function no longer accepts unsigned tokens by default. Updated the unit tests and the emulator signature verifier to explicitly set { algorithms: ['none'] }.
  • Key types must be valid for the signing / verification algorithm. rs key types now must have rs type algorithm in header. Updated the tests to set a custom secret for unsigned (alg: none) mock keys.
  • HS* algorithms must use asymmetric keys. Updated the invalid algorithm tests to invalid-rs type algorithms, instead.

jsonwebtoken v9.0.0 patches the following security fixes:

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Resolves: #2023

RELEASE NOTES: Bumped the jsonwebtoken package to v9.0.0 to address the security issues.
@lahirumaramba lahirumaramba added the release:stage Stage a release candidate label Dec 22, 2022
@lahirumaramba lahirumaramba merged commit d23b1c5 into master Dec 22, 2022
@lahirumaramba lahirumaramba mentioned this pull request Dec 22, 2022
Closed
@lahirumaramba lahirumaramba deleted the lm-fix-jwt branch December 22, 2022 21:42
@lahirumaramba lahirumaramba mentioned this pull request Dec 22, 2022
Merged
@joehan joehan mentioned this pull request Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release:stage Stage a release candidate release-note

2 participants

@lahirumaramba @hsubox76