CVE-2022-23529 Information

Description

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1 of jsonwebtoken library if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control. This issue has been fixed please update to version 9.0.0.

Reference

https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3