Ding, dong, the CVE is dead! :partyparrot:

The JWT nodejs "vulnerability" from December, popularised at the start of January, has been recognised as a non-issue 🫥

I'm really glad to see it gone. Hoping we get a rash of news stories to follow up on the torrent 🌊 that followed the Unit 42 blog...

I'm not sure if its removal was down to me raising an issue on the GitHub Advisory Database :omya_github: to ask for it to be removed.

#jwt #cve #errata #cve_2022_23529 #auth0 #unit42 #jsonwebtoken

That :javascript: JWT "vulnerability"?

Nope 🙅

Exploiting this requires a deserialization bug in an app using the library, or for an attacker to be able to control the code directly (at which point they have RCE already).

Not CVSS 7.6, by any means: it requires an app to be dangerously deserializing untrusted input into a field for security token validation! Most apps hardcode a string.

This is CVSS 0.

This bug is not a vulnerability.

#JWT #CVE_2022_23529 #CVE #JavaScript #PaloAltoUnit42