auth0/node-jws Improper Signature Verification Vulnerability in HMAC Algorithms

A vulnerability allowing improper signature verification has been identified in auth0/node-jws, a JSON Web Signature implementation for Node.js. This issue affects versions 3.2.2 and earlier, as well as version 4.0.0, when the HS256 algorithm is used under specific conditions. The vulnerability arises in applications that utilize the jws.createVerify() function for HMAC algorithms and incorporate user-provided data from the JSON Web Signature protected header or payload into HMAC secret lookup routines. Exploitation of this vulnerability can enable attackers to bypass signature verification.

Impact

Exploitation of this vulnerability allows for improper verification of signatures, which can lead to the acceptance of fraudulent data or actions in applications that rely on accurate signature validation.

Reproduction

The vulnerability can be reproduced by using auth0/node-jws version 4.0.0 or any version prior to 3.2.3, and by applying the following steps: 1. Use the jws.createVerify() function with the HS256 algorithm. 2. Incorporate user-provided data from the JSON Web Signature protected header or payload into the HMAC secret lookup process. This combination of factors will trigger the vulnerability, allowing for signature verification to be bypassed.

Remediation

Users can upgrade to auth0/node-jws version 3.2.3 or 4.0.1 to address this vulnerability.