Vulnerability with jsonwebtoken
cawoodm opened this issue · comments
Software versions
- Tedious:
- SQL Server:
- Node.js:
Additional Libraries Used and Versions
- "mssql": "9.0.1"
- "tedious": "^15.0.1" (15.1.2)
- "@azure/identity": "^2.0.4"
- "@azure/msal-node": "^1.10.0"
- "jsonwebtoken": "^8.5.1" !!!
- "@azure/msal-node": "^1.10.0"
- "@azure/identity": "^2.0.4"
- "tedious": "^15.0.1" (15.1.2)
Problem description
There is a vulnerability with jsonwebtoken which affects the latest version of tedious.
Expected behavior
An update to tedious to remove/upgrade the vulnerable library.
Actual behavior
NPM Audit detects vulnerabilities.
Error message/stack trace
$ npm audit --registry=https://registry.npmjs.org/
# npm audit report
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install mssql@7.2.0, which is a breaking change
node_modules/jsonwebtoken
@azure/msal-node *
Depends on vulnerable versions of jsonwebtoken
node_modules/@azure/msal-node
@azure/identity >=1.2.0-alpha.20200903.1
Depends on vulnerable versions of @azure/msal-node
node_modules/@azure/identity
tedious >=11.0.9
Depends on vulnerable versions of @azure/identity
node_modules/tedious
mssql >=7.2.1
Depends on vulnerable versions of tedious
node_modules/mssql
5 vulnerabilities (4 moderate, 1 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Any other details that can be helpful
Would it need reporting through https://www.npmjs.com/package/@azure/msal-node#security-reporting as I'm not sure tedious itself is the issue?
Security reporting is for undisclosed issues. You can see from their current development build that they have already upgraded the version of jsonwebtoken.
PS: see tediousjs/node-mssql#1451 (comment) for reasoning on why this is a non-exploitable vulnerability.
Could you clarify how we are to resolve this? I'm not sure who "their" is referring to...
AFAIK we are using the current release of tedious v5.1.2 and the vulnerability, though perhaps inacessible, is blocking our CI checks.
"their" refers to the @azure/msal-node
library - see AzureAD/microsoft-authentication-library-for-js#5473 for their WIP release for Jan.
As it's a patch release, it should automatically get installed and resolve the alerts once it is published.
@azure/msal-node
1.14.6 is available now, which should fix these issues.
Azure/azure-sdk-for-js#24403 (comment)