External risk intelligence

JSRSASIGN Improper Signature Verification Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-25898

This is a cryptographic library used in various Node.js applications to verify JWS or JWT signatures. While these tokens are commonly used in internet-facing web applications and APIs, the library itself is a dependency embedded within broader software, and its reachability depends entirely on how the consuming application implements token validation.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security issue has been identified in a cryptographic library used for verifying digital signatures in web applications and APIs. This vulnerability could allow incorrect signatures to be validated as legitimate, potentially impacting the integrity of authenticated data. The primary concern is to confirm if this library is in use and how it's implemented within our systems to understand the potential exposure.

  • Cryptographic library may incorrectly validate signatures.
  • Verify if our systems use this library for critical functions.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending specially crafted signed data over the network to an application that uses the vulnerable library to verify these signatures. If the application processes this malformed data without proper checks, the vulnerability can be triggered, potentially allowing unauthorized actions.

  • Requires network access to the vulnerable component.
  • Triggered by sending invalidly encoded signed data.
  • Risk of signature bypass leading to system compromise.

Live Threat

Current exploitation, exposure, and threat context

The jsrsasign library's improper verification of cryptographic signatures could allow for the validation of seemingly legitimate JWS or JWT signatures even when they contain invalid encoding characters. This could affect applications that rely on this library to verify the integrity and authenticity of these tokens, potentially leading to the acceptance of forged or tampered data.

  • JWS/JWT signatures.
  • Incorrectly encoded signatures may pass validation.
  • Compromised data integrity and authenticity.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the `jsrsasign` library impacts applications that rely on it for validating JWS or JWT signatures. The primary responsibility likely falls to the application owners or development teams who integrate this library. The first step is to identify all instances where `jsrsasign` is used for signature validation, determine if these instances are exposed externally or handle business-critical data, and then confirm the accountable owner for each identified deployment.

  • App owners should investigate library usage.
  • Verify JWS/JWT signature validation points.
  • Plan remediation based on exposure risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the jsrsasign library used for?

jsrsasign is a cryptographic library for Node.js environments. Developers use it to handle digital signatures, specifically for verifying JSON Web Signatures (JWS) and JSON Web Tokens (JWT). These tokens are standard tools for securely transmitting information between parties, often used in web applications to verify user identity or maintain session state.

How does the CVE-2022-25898 vulnerability work?

This vulnerability is classified as Improper Verification of Cryptographic Signature (CWE-347). It occurs because the library fails to correctly handle certain non-standard characters within the signature string. Because the library accepts these malformed inputs as valid, it may mistakenly authenticate forged or tampered tokens, allowing data that should have been rejected to pass as legitimate.

What triggers this security flaw?

The flaw is triggered when the library processes a JWS or JWT signature containing specific non-Base64URL or number-escaped characters. Note that simply having the library installed is not enough; the vulnerability only manifests when the application uses the verify method on these specifically crafted, invalidly encoded strings. If a signature follows standard Base64URL encoding rules, it does not trigger this bypass.

How do I know if this is relevant to me?

According to Halo Surface Signal, this vulnerability is most relevant to internet-facing web applications or APIs that use jsrsasign to validate incoming tokens. Because the library is a dependency embedded in larger software, your risk depends on whether your application relies on it to verify critical authentication data from the network. If your services process user-supplied tokens, you should investigate how your code implements those verification checks.

What are the first steps to address this?

Begin by auditing your codebase to locate where jsrsasign is integrated for signature verification. Work with your development team to confirm if the library version is older than 10.5.25. As a defensive measure, ensure your application validates that incoming tokens conform to proper Base64URL format before passing them to the library's verification methods.

References