In the JavaScript library jsonwebtoken with the implementation of technology json web token (jwt) revealed dedication (CVE-2022-23529), which allows you to achieve remote code execution during verification of a specially designed JWT request. Over the past week, the library was loaded from the NPM catalog more than 10 million times.
As a dependence, Jsonwebtken is involved in more than устранена в выпуске JsonWebToken 9.0.0.
Vulnerability is caused by the error in the implementation of the method Verify , which takes three parameters (tox Secretorpublickey and a set of options), after which it checks the correctness of the token and returns the decoded contents. In accordance with the specification, the Secretorpublickey parameter can be a string or buffer, but this is not taken into account in the JSONWEBTOKEN code and it is always versed as a line using the Tostring () method. Accordingly, if you transfer the JavaScript object with your own Tostring () method instead of the line, the code indicated by the attacker will be called.