Описание
Authorization bypass in express-jwt
Overview
Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
You are using express-jwt AND You do not have algorithms configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the secret.
How to fix that?
Specify algorithms in the express-jwt configuration. The following is an example of a proper configuration
Will this update impact my users?
The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes algorithms a required configuration.
Credit
IST Group
Пакеты
express-jwt
<= 5.3.3
6.0.0
Связанные уязвимости
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.