A critical vulnerability has been identified in the open source jsonwebtoken (JWT) library that could allow threat actors to execute code on the affected server remotely. JsonWebToken is an open-source JavaScript package that allows validation of JWTs used for authorization and authentication purposes. The package developed by Auth0 has more than 9 million weekly downloads and over 20,000 dependencies and plays a significant role in authentication/authorization functionality for many applications.The vulnerability, tracked as CVE-2022-23529, affects earlier versions of JsonWebToken 9.0.0. The vulnerability allows threat actors to bypass authentication mechanisms, execute code on the vulnerable system, gain access to sensitive information, and hijack or alter data.
In JsonWebToken version 9.0.0, the code snippet with the vulnerability has been removed, and the vulnerability has been fixed. It is recommended that users using the affected library versions immediately apply the update that fixes the vulnerability.