Auth0 fixes RCE flaw in JsonWebToken library used by 22,000 projects(bleepingcomputer.com)
bleepingcomputer.com
Auth0 fixes RCE flaw in JsonWebToken library used by 22,000 projects
https://www.bleepingcomputer.com/news/security/auth0-fixes-rce-flaw-in-jsonwebtoken-library-used-by-22-000-projects/
1 comments
How is this an RCE? The only way I can think of exploiting this is having access to the code. You can "exploit" JSON.parse with the same methodology. Perhaps if someone was using a serializer that uses eval but that shouldn't be a vuln in jsonwebtoken but in the library that passes user input into eval.