CVE-2016-1000223
Authentication Bypass vulnerability in jws (npm)
What is CVE-2016-1000223 About?
This vulnerability affects the 'jws' package, allowing users to choose the algorithm used for JWT verification. Attackers can modify JWT contents and still pass verification, leading to an authentication bypass. This is easy to exploit, often resulting in full authentication bypass.
Affected Software
Technical Details
The jws package, in affected versions, permits clients to specify the algorithm used by the server to verify JSON Web Tokens (JWTs). A malicious actor can craft a JWT that, for example, specifies the 'none' algorithm or a weak symmetric algorithm (like HS256 where the public key is used as the secret). This allows the attacker to forge the token's signature, bypass the server's signature verification process, and unilaterally modify the JWT's payload. Subsequently, the server will treat the tampered JWT as valid, granting unauthorized access or privileges based on the forged claims within the token.
What is the Impact of CVE-2016-1000223?
Successful exploitation may allow attackers to bypass authentication mechanisms, gain unauthorized access to resources, impersonate legitimate users, or elevate privileges within the application.
What is the Exploitability of CVE-2016-1000223?
Exploitation of this vulnerability is generally straightforward. It typically involves crafting a modified JWT with a specified algorithm and a forged signature. No special authentication or elevated privileges are required, as the vulnerability lies in how the server processes the JWT itself. This is primarily a remote attack, as the attacker needs to send the crafted JWT to the server. The main prerequisite is that the application uses the affected 'jws' package and allows clients to control the JWT verification algorithm, often by using a public key for signature verification that can be abused for symmetric key signing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000223?
Available Upgrade Options
- jws
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/brianloveswords/node-jws
- https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
- https://snyk.io/vuln/npm:jws:20160726
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000223
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://www.npmjs.com/advisories/88
- https://osv.dev/vulnerability/GHSA-gjcw-v447-2w7q
What are Similar Vulnerabilities to CVE-2016-1000223?
Similar Vulnerabilities: CVE-2015-2951 , CVE-2017-0249 , CVE-2017-11532 , CVE-2015-9235 , CVE-2018-1000531
