CVE-2020-15084
Authorization Bypass vulnerability in express-jwt (npm)
What is CVE-2020-15084 About?
This vulnerability in 'express-jwt' (versions <= 5.3.3), when combined with 'jwks-rsa' and without an explicit 'algorithms' configuration, leads to an authorization bypass. Attackers can forge JWTs, bypassing authentication checks and gaining unauthorized access. Exploitation is relatively easy for an attacker who understands JWT vulnerabilities.
Affected Software
Technical Details
The express-jwt library, in conjunction with jwks-rsa, fails to enforce the algorithms entry in its configuration by default. If this entry is unspecified, an attacker can craft a JSON Web Token (JWT) using an insecure algorithm (e.g., 'none' or symmetric algorithms like 'HS256' using a public key as the secret) and bypass signature verification. This allows the attacker to arbitrarily modify the JWT's payload, such as user IDs or roles, and have it treated as valid by the server, leading to an authorization bypass where the attacker gains access or privileges they shouldn't have.
What is the Impact of CVE-2020-15084?
Successful exploitation may allow attackers to bypass authorization checks, gain unauthorized access to protected resources, impersonate other users, or escalate their privileges within the application.
What is the Exploitability of CVE-2020-15084?
Exploitation of this vulnerability is of moderate complexity. It requires the attacker to understand JWT structures and how to craft tokens with altered algorithms. No specific authentication or elevated privileges are required, as the attacker's goal is to bypass these very mechanisms. This is a remote attack, targeting the application's JWT validation endpoint. The key prerequisite is that the express-jwt configuration explicitly omits the algorithms field while using jwks-rsa for secret fetching. Attackers must also deduce or obtain the public key if they intend to exploit it with symmetric algorithms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15084?
Available Upgrade Options
- express-jwt
- <6.0.0 → Upgrade to 6.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf
- https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf
- https://osv.dev/vulnerability/GHSA-6g6m-m6h5-w9gf
- https://nvd.nist.gov/vuln/detail/CVE-2020-15084
- https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef
- https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef
What are Similar Vulnerabilities to CVE-2020-15084?
Similar Vulnerabilities: CVE-2015-2951 , CVE-2017-0249 , CVE-2017-11532 , CVE-2015-9235 , CVE-2018-1000531
