CVE-2022-23541 Overview
CVE-2022-23541 is an authentication bypass vulnerability affecting the jsonwebtoken library, a widely-used implementation of JSON Web Tokens for Node.js applications. Versions <= 8.5.1 of the library can be misconfigured when using a poorly implemented key retrieval function for the secretOrPublicKey argument, resulting in incorrect verification of tokens. This vulnerability allows attackers to use a different algorithm and key combination during verification than what was originally used to sign the tokens.
Critical Impact
Tokens signed with an asymmetric public key could be verified using a symmetric HS256 algorithm, enabling successful validation of forged tokens. Applications supporting both symmetric and asymmetric key verification with the same key retrieval function are at risk.
Affected Products
- auth0 jsonwebtoken versions <= 8.5.1
- Node.js applications using vulnerable jsonwebtoken versions
- Applications implementing mixed symmetric/asymmetric key verification
Discovery Timeline
- 2022-12-22 - CVE-2022-23541 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23541
Vulnerability Analysis
This vulnerability is classified as an Authentication Bypass (CWE-287) stemming from improper handling of algorithm and key validation in the JWT verification process. The core issue arises when applications use a key retrieval callback function that doesn't properly validate the relationship between the signing algorithm and the key type.
When jwt.verify() is called with a callback-based key retrieval function, the library fails to enforce that the algorithm used during verification matches the algorithm used during signing. This creates an algorithm confusion scenario where an attacker can manipulate the token header to specify HS256 (symmetric) algorithm while the application expects RS256 (asymmetric) verification.
Root Cause
The root cause lies in the library's inadequate validation of the algorithm-key relationship during token verification. When the secretOrPublicKey parameter is provided via a callback function, the library does not enforce proper constraints to ensure:
- The algorithm specified in the token header matches expected algorithms
- The key type is appropriate for the claimed algorithm
- Public keys cannot be used as symmetric secrets
This allows an attacker to craft a token with "alg": "HS256" in the header and sign it using the publicly available RSA public key as the HMAC secret, which the server will then incorrectly validate.
Attack Vector
The attack exploits applications that support both symmetric (HS256) and asymmetric (RS256/RS384/RS512) algorithms with a shared key retrieval function. An attacker can:
- Obtain the public RSA key (often publicly available)
- Create a malicious JWT with claims of their choosing
- Set the algorithm header to HS256
- Sign the token using the public key as the HMAC secret
- Submit the forged token for verification
The vulnerable application will retrieve the public key and use it as an HMAC secret, successfully validating the forged token.
// Security patch adding Node.js version check for asymmetric key details support
const semver = require('semver');
module.exports = semver.satisfies(process.version, '>=15.7.0');
Source: GitHub Commit Update
// Security patch adding Node.js version check for RSA-PSS key details support
const semver = require('semver');
module.exports = semver.satisfies(process.version, '>=16.9.0');
Source: GitHub Commit Update
Detection Methods for CVE-2022-23541
Indicators of Compromise
- JWT tokens with unexpected alg header values (e.g., HS256 when RS256 is expected)
- Authentication successes with tokens that should have failed verification
- Unusual patterns in token claims that don't match expected user attributes
- Log entries showing algorithm mismatches or unexpected key usage
Detection Strategies
- Implement application-level logging for JWT verification operations including algorithm used
- Monitor for tokens with alg header values that differ from expected application configuration
- Use dependency scanning tools to identify vulnerable versions of jsonwebtoken in your codebase
- Review code for jwt.verify() calls that use callback-based key retrieval without algorithm restrictions
Monitoring Recommendations
- Set up alerts for authentication anomalies such as successful auth from unexpected sources
- Implement rate limiting on authentication endpoints to slow potential exploitation attempts
- Enable verbose logging for JWT operations during incident investigation periods
- Monitor dependency vulnerability feeds for updates on jsonwebtoken security issues
How to Mitigate CVE-2022-23541
Immediate Actions Required
- Upgrade jsonwebtoken to version 9.0.0 or later immediately
- Audit existing code for callback-based key retrieval implementations
- Explicitly specify allowed algorithms in the jwt.verify() options parameter
- Review authentication logs for signs of prior exploitation
Patch Information
Auth0 has released version 9.0.0 of the jsonwebtoken library which addresses this vulnerability. The patch improves algorithm and key validation to prevent algorithm confusion attacks. Users should update their package dependencies by modifying package.json to require "jsonwebtoken": ">=9.0.0" and running npm update. For detailed patch information, see the GitHub Release v9.0.0 and the GitHub Security Advisory.
Workarounds
- Always explicitly specify the allowed algorithms using the algorithms option in jwt.verify()
- Separate key retrieval logic for symmetric and asymmetric algorithms
- Implement server-side validation that the token algorithm matches expected configuration
- Consider using distinct endpoints or verification paths for different algorithm types
# Update jsonwebtoken to patched version
npm install jsonwebtoken@9.0.0
# Verify installed version
npm list jsonwebtoken
# Audit for vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
