CVE-2024-54150

Summary

CVE-2024-54150 is a vulnerability affecting the cjwt JSON Web Token (JWT) implementation. The issue arises from algorithm confusion, where the system fails to distinguish between different signing methods during token verification. Specifically, an HMAC signed token may be mistakenly verified using an asymmetric algorithm like RS256 or EC256. This confusion can lead to unauthorized access, as attackers can craft tokens with incorrect algorithm identifiers and exploit the system's misconfiguration. In the case of RSA and EC algorithms, an attacker can potentially recover the key from a few signatures, bypassing the signature mechanism. Users are advised to upgrade to version 2.3.0 to address this vulnerability, as there are currently no known workarounds.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.