"JsonWebToken Security Bug Opens Servers to RCE"

A high-severity vulnerability, tracked as CVE-2022-23529, has been discovered in the popular JsonWebToken (JWT) open-source encryption project. An attacker could use this flaw for Remote Code Execution (RCE) on a target encryption server. The JWT open standard specifies a technique for securely transmitting information using encoded and signed JSON data. Unit 42 of Palo Alto Networks discovered that an exploit for the vulnerability causes the server to verify a maliciously crafted JSON web token request. This vulnerability affects all JWT versions prior to and including v8.5.1. According to a January 9 statement from Unit 42, v9.0.0 is the patched version of the package. Unit 42 security researcher Artur Oleyarsh notes that vulnerabilities associated with JSON Web tokens are typically related to token forging techniques that allow an adversary to circumvent authentication and authorization procedures. This article continues to discuss findings regarding the JWT security vulnerability that leaves servers open to RCE. 

Dark Reading reports "JsonWebToken Security Bug Opens Servers to RCE"