🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens.
Am I affected?
You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Am I affected?
You will be affected if you do not specify algorithms in the jwt.verify() function
How do I fix it?
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.
Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Am I affected?
You are affected if you are using an algorithm and a key type other than the combinations mentioned below
Key type
algorithm
ec
ES256, ES384, ES512
rsa
RS256, RS384, RS512, PS256, PS384, PS512
rsa-pss
PS256, PS384, PS512
And for Elliptic Curve algorithms:
alg
Curve
ES256
prime256v1
ES384
secp384r1
ES512
secp521r1
How do I fix it?
Update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.
For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).
Am I affected?
You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ jsonwebtoken (8.5.1 → 9.0.0) · Repo · Changelog
Security Advisories 🚨
🚨 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
🚨 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
🚨 jsonwebtoken unrestricted key type could lead to legacy keys usage
🚨 jsonwebtoken has insecure input validation in jwt.verify function
Commits
See the full diff on Github. The new version differs by 17 commits:
Merge pull request from GHSA-8cf7-32gw-wr33
chore(ci): remove github test actions job (#861)
chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
Upload OpsLevel YAML (#849)
docs: update references vercel/ms references (#770)
docs: document "invalid token" error
docs: fix spelling in README.md: Peak -> Peek (#754)
docs: make decode impossible to discover before verify
refactor: make decode non-enumerable
docs: add jwtid to options of jwt.verify (#704)
Replace tilde-indexOf with includes (#647)
Adds not to README on decoded payload validation (#646)
docs: fix tiny style change in readme (#622)
style: add missing semicolon (#641)
ci: use circleci (#589)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands