CVE-2015-9235
Verification Bypass vulnerability in jsonwebtoken (npm)
What is CVE-2015-9235 About?
Versions 4.2.1 and earlier of 'jsonwebtoken' are vulnerable to a verification bypass due to weak validation of the JWT algorithm type. Attackers can arbitrarily specify the JWT algorithm, leading to token forgery and successful verification bypass. This is easy to exploit, resulting in full authentication bypass.
Affected Software
Technical Details
The jsonwebtoken library, in affected versions, fails to adequately validate the alg (algorithm) header parameter within a JSON Web Token (JWT). Specifically, if an attacker can control the alg header (i.e., the server implicitly trusts the client-provided algorithm or incorrectly configures its verification), they can specify an insecure algorithm like 'none'. This allows the attacker to unilaterally forge the JWT's signature (or effectively remove it with 'none'), bypass the server's signature verification process, and alter the token's payload (claims) at will. As a result, the server will accept the tampered JWT as legitimate, leading to a complete authentication or authorization bypass depending on the token's usage.
What is the Impact of CVE-2015-9235?
Successful exploitation may allow attackers to bypass authentication or authorization mechanisms, impersonate legitimate users, gain unauthorized access to resources, or elevate privileges within the application.
What is the Exploitability of CVE-2015-9235?
Exploitation of this vulnerability is generally straightforward. It requires an attacker to craft a JWT with a malicious alg header (e.g., 'none') and a forged or null signature. No specific authentication or elevated privileges are required, as the vulnerability directly targets the authentication/authorization mechanism itself. This is primarily a remote attack, where the crafted JWT is sent to the application. The main prerequisite is that the application uses the vulnerable jsonwebtoken library and either doesn't properly enforce a set of allowed algorithms or uses a configuration susceptible to algorithm confusion (e.g., using a public key for signature verification that can be used for symmetric signing). The existence of proof-of-concept exploits suggests that the means to exploit this are widely understood and available.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| z-bool | Link | 针对JWT渗透开发的漏洞验证/密钥爆破工具,针对CVE-2015-9235/空白密钥/未验证签名攻击/CVE-2016-10555/CVE-2018-0114/CVE-2020-28042的结果生成用于FUZZ,也可使用字典/字符枚举(包括JJWT)的方式进行爆破(JWT Crack) |
| WinDyAlphA | Link | PoC for CVE-2015-9235 |
| aalex954 | Link | JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction |
What are the Available Fixes for CVE-2015-9235?
Available Upgrade Options
- jsonwebtoken
- <4.2.2 → Upgrade to 4.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.timmclean.net/2015/02/25/jwt-alg-none.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-9235
- https://github.com/advisories/GHSA-c7hr-j4mj-j2w6
- https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- https://www.npmjs.com/advisories/17
- https://www.timmclean.net/2015/02/25/jwt-alg-none.html
- https://nodesecurity.io/advisories/17
What are Similar Vulnerabilities to CVE-2015-9235?
Similar Vulnerabilities: CVE-2016-1000223 , CVE-2015-2951 , CVE-2017-0249 , CVE-2017-11532 , CVE-2018-1000531
