SecurityWeek reports that threat actors could exploit a security flaw in the widely used open source JavaScript package JsonWebToken to facilitate remote code execution.
Palo Alto Networks' Unit 42 researchers discovered the vulnerability, tracked as CVE-2022-23529, within the package's verify function and stems from the lack of verification for one of the parameters. Such absence of verification could enable attackers with a maliciously crafted JSON JWT request to exploit the parameter to provide the verify function with a malicious object, which could then enable method override and arbitrary file writing.
JsonWebToken versions 8.5.1 and earlier are affected by the flaw, which has been addressed in JsonWebToken version 9.0.0. Immediate application of the updated version has been urged.
"Security awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it's something the open source community can take part in," said Unit 42.