[vulnerabilities][high] jsonwebtoken has insecure input validation in jwt.verify function

[piotut]

New jsonwebtoken vulnerability has been published.
GHSA-27h2-hvpr-p74q

[childish-sambino]

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.

We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now). I’ll update the PR to upgrade jsonwebtoken to v9 for the v4 release candidate anyway.

[uri-peled-unit]

Hey @childish-sambino,

Thanks for closing this high vulnerability, but from what we understand, the fix is currently available only for twilio-node v4.
twilio-node v4 is still a beta and not GA, as we can also see in this link https://www.npmjs.com/package/twilio, twilio latest available version is 3.84.0.
While we cannot deploy yet twilio-node v4 as of its current status, we are still using twilio-node v3, which is vulnerable to the jsonwebtoken issue.

I have a couple of questions regarding the above,

1. When twilio-node v4 with the jsonwebtoken fix will be GA
2. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

Thanks in advance.

[Terkea]

2. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

From what I understand starting with version 4 it has been decided to drop support for node versions < 14.
I would love to see a patched version 3 for this vulnerability, as upgrading to version 4 may be a little more problematic.

[vinczemarton]

2. Can you please publish a twilio-node v3 patch with the jsonwebtoken fix?

From what I understand starting with version 4 it has been decided to drop support for node versions < 14. I would love to see a patched version 3 for this vulnerability, as upgrading to version 4 may be a little more problematic.

If you are on node 12, so you cannot update twilio to 14, but you are able to update jsonwebtoken to 9 use this: https://github.com/rogeriochaves/npm-force-resolutions to force jsonwebtoken to be 9.0.0 for now. Looking at the code, it will not break (did not try out though).

Since Node 12 LTS already ended I doubt that twilio will provide a node 12 compatible package with jsonwebtoken updated to 9.

[claudiachua]

@uri-peled-unit We are planning to roll out GA on Jan 25. Subject to change

[ehaynes99]

Note that modern version of npm have direct support for this in package.json without the use of a third party lib:

"overrides": {
  "jsonwebtoken": "^9.0.0"
},

I must say, though, this is far from ideal. I think jsonwebtoken should have backported the fix into 8.x, but this is doing the same thing. The v4 client is not backwards compatible. There are numerous incompatible types, and while similar, technically it's a complete rewrite. A security update held hostage behind the upgrade is a rock and a hard place.