Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerabilities][high] jsonwebtoken has insecure input validation in jwt.verify function #846

Closed
piotut opened this issue Dec 22, 2022 · 6 comments
Closed

[vulnerabilities][high] jsonwebtoken has insecure input validation in jwt.verify function #846

piotut opened this issue Dec 22, 2022 · 6 comments
Labels
type: security known security issue

Comments

@piotut
Copy link

piotut commented Dec 22, 2022

New jsonwebtoken vulnerability has been published.
GHSA-27h2-hvpr-p74q
@childish-sambino
Copy link
Contributor

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.

We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now). I’ll update the PR to upgrade jsonwebtoken to v9 for the v4 release candidate anyway.

@childish-sambino childish-sambino mentioned this issue Dec 27, 2022
Merged
@childish-sambino childish-sambino added type: security known security issue status: work in progress Twilio or the community is in the process of implementing labels Dec 27, 2022
childish-sambino pushed a commit that referenced this issue Dec 27, 2022
test: bypass audit failures until v4 release
fb3afda 
Relates to #846 and #847

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms). This change is to bypass audit failures for v3. Note that v4 does not bypass the audit and uses jsonwebtoken v9.
@childish-sambino childish-sambino mentioned this issue Dec 27, 2022
Merged
childish-sambino pushed a commit that referenced this issue Dec 27, 2022
test: bypass audit failures until v4 release (#848)
cb21935 
Relates to #846 and #847

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms). This change is to bypass audit failures for v3. Note that v4 does not bypass the audit and uses jsonwebtoken v9.
@childish-sambino childish-sambino removed the status: work in progress Twilio or the community is in the process of implementing label Jan 10, 2023
@childish-sambino childish-sambino mentioned this issue Jan 10, 2023
Closed
@uri-peled-unit
Copy link

Hey @childish-sambino,

Thanks for closing this high vulnerability, but from what we understand, the fix is currently available only for twilio-node v4.
twilio-node v4 is still a beta and not GA, as we can also see in this link https://www.npmjs.com/package/twilio, twilio latest available version is 3.84.0.
While we cannot deploy yet twilio-node v4 as of its current status, we are still using twilio-node v3, which is vulnerable to the jsonwebtoken issue.

I have a couple of questions regarding the above,

  1. When twilio-node v4 with the jsonwebtoken fix will be GA
  2. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

Thanks in advance.

@Terkea
Copy link

Terkea commented Jan 11, 2023
edited
Loading

2. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

From what I understand starting with version 4 it has been decided to drop support for node versions < 14.
I would love to see a patched version 3 for this vulnerability, as upgrading to version 4 may be a little more problematic.

@vinczemarton
Copy link

vinczemarton commented Jan 11, 2023
edited
Loading

  1. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

From what I understand starting with version 4 it has been decided to drop support for node versions < 14. I would love to see a patched version 3 for this vulnerability, as upgrading to version 4 may be a little more problematic.

If you are on node 12, so you cannot update twilio to 14, but you are able to update jsonwebtoken to 9 use this: https://github.com/rogeriochaves/npm-force-resolutions to force jsonwebtoken to be 9.0.0 for now. Looking at the code, it will not break (did not try out though).

Since Node 12 LTS already ended I doubt that twilio will provide a node 12 compatible package with jsonwebtoken updated to 9.

@claudiachua claudiachua mentioned this issue Jan 11, 2023
Closed
@claudiachua
Copy link

@uri-peled-unit We are planning to roll out GA on Jan 25. Subject to change

This was referenced Jan 16, 2023
Closed
Closed
Closed
Closed
This was referenced Jan 18, 2023
Closed
Closed
@ehaynes99
Copy link

Note that modern version of npm have direct support for this in package.json without the use of a third party lib:

"overrides": {
  "jsonwebtoken": "^9.0.0"
},

I must say, though, this is far from ideal. I think jsonwebtoken should have backported the fix into 8.x, but this is doing the same thing. The v4 client is not backwards compatible. There are numerous incompatible types, and while similar, technically it's a complete rewrite. A security update held hostage behind the upgrade is a rock and a hard place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: security known security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ehaynes99 @piotut @Terkea @vinczemarton @claudiachua @childish-sambino @uri-peled-unit