search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.05k stars 676 forks source link

Is CVE-2022-23529 relevant to this package? #850

Closed odddozen closed 1 year ago

odddozen commented 1 year ago

There was a recent high level CVE for the Json package jsonwebtoken. Whilst this package us a separate implementation, just wanted to confirm that this package is not similarly effected?

GarretMook commented 1 year ago

I was wondering the same.

GarretMook commented 1 year ago

From my research the vulnerability CVE-2022-23529 has to do with the node-jsonwebtoken package's verify function. Not the JWT standard that PyJWT uses.

However, contradicting Auth0 put out a guest article which claims PyJWT needs to be upgraded to be safe. This seems like a blanketed statement and I have not found any info to back up whether PyJWT is affected.

TL;DR: If you are using [node-jsonwebtoken](https://github.com/auth0/node-jsonwebtoken), [pyjwt](https://github.com/jpadilla/pyjwt/), [namshi/jose](https://github.com/namshi/jose), [php-jwt](https://github.com/firebase/php-jwt) or [jsjwt](https://github.com/kjur/jsjws) with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See [jwt.io](http://jwt.io/) for more information on the vulnerable libraries. (Updated 2015-04-20)

Source - https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

So I am confused. Is it a node-jsonwebtoken vulnerability or a JWT Standard Vulnerability?

jpadilla commented 1 year ago

CVE-2022-23529 is strictly about node-jsonwebtoken and does not apply to pyjwt.

However, contradicting Auth0 put out a guest article which claims PyJWT needs to be upgraded to be safe. This seems like a blanketed statement and I have not found any info to back up whether PyJWT is affected.

That's a for a different set of vulnerabilities from 2020.

GarretMook commented 1 year ago

@jpadilla thank you for the clarification. You are correct. Also, I totally missed the Auth0 article date thanks for pointing that out. No wonder it was so contradicting.

To summarize for anyone else: node-jsonwebtoken (Library) - YES vulnerability related to CVE-2022-23529 Info PyJWT (Library) - No vulnerability related to CVE-2022-23529 JsonWebToken (Standard) - No vulnerability related to CVE-2022-23529

For those curious about more info regarding the severity of the vulnerability: https://github.com/github/advisory-database/pull/1595