node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.
CVSS
No CVSS.
References
No reference.
Configurations
No configuration.
History
22 Dec 2022, 03:55
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-12-21 21:15
Updated : 2024-02-04 23:14
NVD link : CVE-2022-23529
Mitre link : CVE-2022-23529
CVE.ORG link : CVE-2022-23529
JSON object : View
Products Affected
No product.
CWE
No CWE.