Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency on vulnerable version of jsonwebtoken #121

Open
rossgp opened this issue Jan 13, 2023 · 1 comment
Open

Dependency on vulnerable version of jsonwebtoken #121

rossgp opened this issue Jan 13, 2023 · 1 comment

Comments

@rossgp
Copy link

rossgp commented Jan 13, 2023

node-sp-auth is currently using jsonwebtoken v 8.5.1

jsonwebtoken has recently addressed several CVE's and release v9.0.0
See details of breaking changes here: https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md

npm audit
....
jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
..

Can submit a PR for this but I don't have all the differently configured SharePoint endpoints to run the full set of integration tests so might need some help here.

lucaselb added a commit to lucaselb/node-sp-auth that referenced this issue Jan 26, 2023
@rossgp
Copy link
Author

rossgp commented Feb 14, 2023

Thanks for adding the PR lucaselb. @s-KaiNet would you be happy to merge this and release updated package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant