fix: Upgrade jsonwebtoken to address CVE-2022-23540 (#5116)

n8n-io · Jan 13, 2023 · 97969fc · 97969fc
1 parent 0a5ab56
commit 97969fc
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 51 deletions.
diff --git a/package.json b/package.json
@@ -67,6 +67,7 @@
       "browserslist": "^4.21.4",
       "ejs": "^3.1.8",
       "fork-ts-checker-webpack-plugin": "^6.0.4",
+      "jsonwebtoken": "9.0.0",
       "cpy@8>globby": "^11.1.0",
       "qqjs>globby": "^11.1.0"
     }

diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -72,7 +72,7 @@
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/json-diff": "^0.5.1",
-    "@types/jsonwebtoken": "^8.5.2",
+    "@types/jsonwebtoken": "^9.0.0",
     "@types/localtunnel": "^1.9.0",
     "@types/lodash.get": "^4.4.6",
     "@types/lodash.intersection": "^4.4.7",
@@ -144,7 +144,7 @@
     "ioredis": "^5.2.4",
     "json-diff": "^0.5.4",
     "jsonschema": "^1.4.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "jwks-rsa": "~1.12.1",
     "localtunnel": "^2.0.0",
     "lodash.get": "^4.4.2",

diff --git a/packages/cli/src/UserManagement/auth/jwt.ts b/packages/cli/src/UserManagement/auth/jwt.ts
@@ -27,6 +27,7 @@ export function issueJWT(user: User): JwtToken {
 
 	const signedToken = jwt.sign(payload, config.getEnv('userManagement.jwtSecret'), {
 		expiresIn: expiresIn / 1000 /* in seconds */,
+		algorithm: 'HS256',
 	});
 
 	return {
@@ -57,7 +58,9 @@ export async function resolveJwtContent(jwtPayload: JwtPayload): Promise<User> {
 }
 
 export async function resolveJwt(token: string): Promise<User> {
-	const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret')) as JwtPayload;
+	const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret'), {
+		algorithms: ['HS256'],
+	}) as JwtPayload;
 	return resolveJwtContent(jwtPayload);
 }
 

diff --git a/packages/nodes-base/package.json b/packages/nodes-base/package.json
@@ -735,7 +735,7 @@
     "@types/formidable": "^1.0.31",
     "@types/gm": "^1.18.2",
     "@types/imap-simple": "^4.2.0",
-    "@types/jsonwebtoken": "^8.5.2",
+    "@types/jsonwebtoken": "^9.0.0",
     "@types/lodash.set": "^4.3.6",
     "@types/lossless-json": "^1.0.0",
     "@types/mailparser": "^2.7.3",
@@ -780,7 +780,7 @@
     "isbot": "^3.3.4",
     "iso-639-1": "^2.1.3",
     "js-nacl": "^1.4.0",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "kafkajs": "^1.14.0",
     "lodash.get": "^4.4.2",
     "lodash.set": "^4.3.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml