CVE-2020-15084 – express-jwt

Package

Manager: npm
Name: express-jwt
Vulnerable Version: >=0 <=5.3.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00095 pctl0.27419

Details

Authorization bypass in express-jwt ### Overview Versions before and including 5.3.3, we are not enforcing the **algorithms** entry to be specified in the configuration. When **algorithms** is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. ### Am I affected? You are affected by this vulnerability if all of the following conditions apply: You are using express-jwt AND You do not have **algorithms** configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the **secret**. ### How to fix that? Specify **algorithms** in the express-jwt configuration. The following is an example of a proper configuration ``` const checkJwt = jwt({ secret: jwksRsa.expressJwtSecret({ rateLimit: true, jwksRequestsPerMinute: 5, jwksUri: `https://${DOMAIN}/.well-known/jwks.json` }), // Validate the audience and the issuer. audience: process.env.AUDIENCE, issuer: `https://${DOMAIN}/`, // restrict allowed algorithms algorithms: ['RS256'] }); ``` ### Will this update impact my users? The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes **algorithms** a required configuration. ### Credit IST Group

Metadata

Created: 2020-06-30T16:05:24Z
Modified: 2021-01-07T23:49:22Z
Source: MANUAL
CWE IDs: ["CWE-285", "CWE-863"]
Alternative ID: GHSA-6g6m-m6h5-w9gf
Finding: F039
Auto approve: 1