jsonwebtoken <=8.5.1 vulnerability

[leoamorimr]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current behavior

I'm facing a package dependency vulnerability in @nestjs/jwt as it depends on jsonwebtoken < 9.0.0.

npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
No fix available
node_modules/jsonwebtoken
  @nestjs/jwt  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@nestjs/jwt
  passport-jwt  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/passport-jwt

Minimum reproduction code

https://stackblitz.com/edit/nestjs-typescript-starter-uvganw?file=package.json

Steps to reproduce

1. npm audit

Expected behavior

Please upgrade jsonwebtoken dependency version to 9.0.0.

Link to resolution

Package

• [ ] I don't know. Or some 3rd-party package
• [ ] code>@nestjs/common</code
• [ ] code>@nestjs/core</code
• [ ] code>@nestjs/microservices</code
• [ ] code>@nestjs/platform-express</code
• [ ] code>@nestjs/platform-fastify</code
• [ ] code>@nestjs/platform-socket.io</code
• [ ] code>@nestjs/platform-ws</code
• [ ] code>@nestjs/testing</code
• [ ] code>@nestjs/websockets</code
• [X] Other (see below)

Other package

@nestjs/jwt

NestJS version

No response

Packages versions

   "@nestjs/axios": "^0.1.0",
   "@nestjs/common": "^9.0.9",
    "@nestjs/config": "^2.2.0",
    "@nestjs/core": "^9.0.9",
    "@nestjs/jwt": "^9.0.0",
    "@nestjs/mapped-types": "*",
    "@nestjs/passport": "^9.0.0",
    "@nestjs/platform-express": "^9.0.9",
    "@nestjs/swagger": "^6.0.5",
    "@nestjs/terminus": "^9.1.1",
    "@nestjs/typeorm": "^9.0.1",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.13.2",
    "helmet": "^5.1.1",
    "jwks-rsa": "^2.1.4",
    "nestjs-pino": "^3.1.1",
    "oracledb": "^5.4.0",
    "passport": "^0.6.0",
    "passport-jwt": "^4.0.0",
    "pino-http": "^8.2.1",
    "pino-pretty": "^9.1.1",
    "reflect-metadata": "^0.1.13",
    "rimraf": "^3.0.2",
    "rxjs": "^7.5.6",
    "swagger-ui-express": "^4.5.0",
    "typeorm": "^0.3.10"

Node.js version

19.3.0

In which operating systems have you tested?

• [ ] macOS
• [ ] Windows
• [X] Linux

Other

No response

[kamilmysliwiec]

https://github.com/nestjs/jwt/issues/1153