CVE-2022-23529

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.

Attack Vector (AV)	Network	Adjacent	Local	Physical
Attack Complexity (AC)	LOW	High
Privileges Required (PR)	None	Low	High
User Interaction (UI)	None	Required
Scope (S)	Unchange	Change
Confidentiality (C)	None	Low	High
Integrity (I)	None	Low	High
Availability (A)	None	Low	High

CVE Infomation	Exploits or more Infomation
mitre	EXPLOIT DATABASE
NVD	0day.today
vulmon.com	github
CVE Details	Twitter
JVN ENG JPN
Reconshell

List of frequently cited URLs

URL	Num of Times Referred to
https://thehackernews.com/2023/01/critical-security-flaw-fo...	203
https://cvetrends.com	51
https://github.com/github/advisory-database/pull/1595	7
https://unit42.paloaltonetworks.jp/jsonwebtoken-vulnerabili...	7
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	7
http://canyoupwn.me	4
https://opsmtrs.com/3u44jMT	3
https://twitter.com/cyph3r_asr/status/1612684465977061376	3
https://b.hatena.ne.jp/entry/s/unit42.paloaltonetworks.jp/j...	3
https://security.sios.jp/vulnerability/node-jsonwebtoken-se...	3
https://securityboulevard.com/2023/01/cve-2022-23529-should...	3
https://xcloud.spectrum.colortokens.com/cve/CVE-2022-23529	3

User	URL	Info Source	Date
angsuman	https://github.com/advisories/GHSA-27h2-hvpr-p74q	Source angsuman 1614291024935030784	2023/01/15
yosiokamamoru	https://vaiden.info/sign_up/?4a06	Source yosiokamamoru 1614396699044360192	2023/01/15
fujii_chikara	https://vaiden.info/?26b5	Source fujii_chikara 1614611863471534080	2023/01/15
CVEtrends	https://cvetrends.com	Source CVEtrends 1614623450039046144	2023/01/15
yosiokamamoru	https://vaiden.info/sign_up/?d5bb	Source yosiokamamoru 1614785535331164160	2023/01/16
CVEtrends	https://cvetrends.com	Source CVEtrends 1614985837292257282	2023/01/16
MichaelErmer_	https://github.com/github/advisory-database/pull/1595	Source MichaelErmer_ 1615264904134463488	2023/01/17
CVEtrends	https://cvetrends.com	Source CVEtrends 1615348232607125505	2023/01/17
t_nihonmatsu	https://github.com/github/advisory-database/pull/1595#issue...	Source t_nihonmatsu 1615532189877432320	2023/01/18
trashp4ndasec	https://www.rezilion.com/blog/cve-2022-23529-should-you-be-...	Source trashp4ndasec 1617554409549963264	2023/01/24
jmcmurry	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source jmcmurry 1617671919310090241	2023/01/24
Aktodotio	https://www.akto.io/blog/jwt-rce	Source Aktodotio 1617837645572497408	2023/01/24
Aktodotio	https://twitter.com/Aktodotio/status/1617837645572497408/ph...	Source Aktodotio 1617837645572497408	2023/01/24
0xGodson_	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source 0xGodson_ 1618649093542408193	2023/01/27
uzlopak	https://github.com/github/advisory-database/pull/1595#event...	Source uzlopak 1619095479920521216	2023/01/28
webtonull	https://twitter.com/webtonull/status/1619099474185408513/ph...	Source webtonull 1619099474185408513	2023/01/28
tyage	https://github.com/github/advisory-database/pull/1595#issue...	Source tyage 1619117448917299200	2023/01/28
6jz	https://nvd.nist.gov/vuln/detail/CVE-2022-23529	Source 6jz 1619121450958618624	2023/01/28
MichaelErmer_	https://github.com/github/advisory-database/pull/1595#issue...	Source MichaelErmer_ 1619124580706287619	2023/01/28
yarlob	https://twitter.com/yarlob/status/1619127511849504770/photo/1	Source yarlob 1619127511849504770	2023/01/28
junya	https://github.com/github/advisory-database/pull/1595#issue...	Source junya 1619201327258800128	2023/01/28
mic_wg	https://nvd.nist.gov/vuln/detail/CVE-2022-23529	Source mic_wg 1619687397440241664	2023/01/29
ganta0087	https://github.com/advisories/GHSA-27h2-hvpr-p74q	Source ganta0087 1619699436074184705	2023/01/29
yuj1osm	https://github.com/github/advisory-database/pull/1595	Source yuj1osm 1619923383751438336	2023/01/30
t_nihonmatsu	https://github.com/github/advisory-database/pull/1595#issue...	Source t_nihonmatsu 1619927923468926976	2023/01/30
t_nihonmatsu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23529	Source t_nihonmatsu 1619932387684777985	2023/01/30
t_nihonmatsu	https://access.redhat.com/security/cve/cve-2022-23529	Source t_nihonmatsu 1619932387684777985	2023/01/30
t_nihonmatsu	https://twitter.com/t_nihonmatsu/status/1619932387684777985...	Source t_nihonmatsu 1619932387684777985	2023/01/30
realperumalj	https://youtu.be/CBJbXOQskaQ	Source realperumalj 1620600113893875715	2023/02/01
td2sk	https://nvd.nist.gov/vuln/detail/CVE-2022-23529	Source td2sk 1620669832722276354	2023/02/01
td2sk	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source td2sk 1620670931302760451	2023/02/01
Ltomu_website	https://unit42.paloaltonetworks.jp/jsonwebtoken-vulnerabili...	Source Ltomu_website 1620723791109423106	2023/02/01
digininja	https://www.secureideas.com/blog/what-happened-to-cve-2022-...	Source digininja 1621118895011811328	2023/02/02
digininja	https://twitter.com/digininja/status/1613140779723005952	Source digininja 1621118895011811328	2023/02/02
_CryptoCat	https://www.secureideas.com/blog/what-happened-to-cve-2022-...	Source _CryptoCat 1621124857739227138	2023/02/02
oboenikui	https://github.com/github/advisory-database/pull/1595#issue...	Source oboenikui 1622393766224224257	2023/02/06
oboenikui	https://unit42.paloaltonetworks.jp/jsonwebtoken-vulnerabili...	Source oboenikui 1622393768161992704	2023/02/06
red_fat_daruma	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source red_fat_daruma 1622406810895515649	2023/02/06
t_nihonmatsu	https://github.com/github/advisory-database/pull/1595#issue...	Source t_nihonmatsu 1622500691389579264	2023/02/06
viehgroup	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source viehgroup 1622575333781172224	2023/02/06
blueteamsec1	http://dlvr.it/SjFLG3	Source blueteamsec1 1624204711112110080	2023/02/11
bugbounty0	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source bugbounty0 1624972930135498752	2023/02/13
ipssignatures	https://twitter.com/bugbounty0/status/1624972930135498752	Source ipssignatures 1625134198762733568	2023/02/13
Telemetry_Deck	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23529	Source Telemetry_Deck 1625439346789650432	2023/02/14
FINSIN_CL	https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...	Source FINSIN_CL 1627971575851917313	2023/02/21
zeyu2001	https://twitter.com/DailySwig/status/1631294733367615494	Source zeyu2001 1631312380637446145	2023/03/03

User	URL	Info Source
angsuman	github.com	Show Tweet
yosiokamamoru	vaiden.info	Show Tweet
fujii_chikara	vaiden.info	Show Tweet
CVEtrends	cvetrends.com	Show Tweet
yosiokamamoru	vaiden.info	Show Tweet
CVEtrends	cvetrends.com	Show Tweet
MichaelErmer_	github.com	Show Tweet
CVEtrends	cvetrends.com	Show Tweet
t_nihonmatsu	github.com	Show Tweet
trashp4ndasec	rezilion.com	Show Tweet
jmcmurry	unit42.paloaltonetworks.com	Show Tweet
Aktodotio	akto.io	Show Tweet
Aktodotio	twitter.com	Show Tweet
0xGodson_	unit42.paloaltonetworks.com	Show Tweet
uzlopak	github.com	Show Tweet
webtonull	twitter.com	Show Tweet
tyage	github.com	Show Tweet
6jz	nvd.nist.gov	Show Tweet
MichaelErmer_	github.com	Show Tweet
yarlob	twitter.com	Show Tweet
junya	github.com	Show Tweet
mic_wg	nvd.nist.gov	Show Tweet
ganta0087	github.com	Show Tweet
yuj1osm	github.com	Show Tweet
t_nihonmatsu	github.com	Show Tweet
t_nihonmatsu	cve.mitre.org	Show Tweet
t_nihonmatsu	access.redhat.com	Show Tweet
t_nihonmatsu	twitter.com	Show Tweet
realperumalj	youtu.be	Show Tweet
td2sk	nvd.nist.gov	Show Tweet
td2sk	unit42.paloaltonetworks.com	Show Tweet
Ltomu_website	unit42.paloaltonetworks.jp	Show Tweet
digininja	secureideas.com	Show Tweet
digininja	twitter.com	Show Tweet
_CryptoCat	secureideas.com	Show Tweet
oboenikui	github.com	Show Tweet
oboenikui	unit42.paloaltonetworks.jp	Show Tweet
red_fat_daruma	unit42.paloaltonetworks.com	Show Tweet
t_nihonmatsu	github.com	Show Tweet
viehgroup	unit42.paloaltonetworks.com	Show Tweet
blueteamsec1	dlvr.it	Show Tweet
bugbounty0	unit42.paloaltonetworks.com	Show Tweet
ipssignatures	twitter.com	Show Tweet
Telemetry_Deck	cve.mitre.org	Show Tweet
FINSIN_CL	unit42.paloaltonetworks.com	Show Tweet
zeyu2001	twitter.com	Show Tweet

Name	URL
despossivel/CVE-2022-23529-lab	https://github.com/despossivel/CVE-2022-23529-lab
Live-Hack-CVE/CVE-2022-23529	https://github.com/Live-Hack-CVE/CVE-2022-23529

CVE-2022-23529

Description from NVD

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD References

Refer to Information on External Sites

▼ Show Information from Twitter(46)

▼ Show Information from Twitter(46)

URL	Num of Times Referred to
thehackernews.com	203
cvetrends.com	51
github.com	7
unit42.paloaltonetworks.jp	7
unit42.paloaltonetworks.com	7
canyoupwn.me	4
opsmtrs.com	3
twitter.com	3
b.hatena.ne.jp	3
security.sios.jp	3
securityboulevard.com	3
xcloud.spectrum.colortokens.com	3