CVE-2024-34273

CHANGELOG.md

@@ -1,5 +1,9 @@
 # nJwt Change Log
 
+### 2.0.1
+
+* [#107](https://github.com/jwtk/njwt/pull/107) Freeze `prototype` of all classes to prevent prototype pollution vuln ([CVE-2024-34273](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34273))
+
 ### 2.0.0
 
 * [#98](https://github.com/jwtk/njwt/pull/98) Bumps jsonwebtoken version, drop Node < 12 from engines

index.d.ts

@@ -61,12 +61,11 @@ export declare class JwtBody {
   toJSON(): JSONMap;
   compact(): string;
 }
-export declare function JwtHeader(header: JwtHeaderOptions): JwtHeader;
+export declare function JwtHeader(header: JwtHeaderOptions, enforceDefaultFields?: boolean): JwtHeader;
 export declare class JwtHeader {
-  constructor(header: JwtHeaderOptions);
+  constructor(header: JwtHeaderOptions, enforceDefaultFields?: boolean);
     typ: string;
     alg: string;
-    reservedKeys: string[];
     compact(): string;
 }
 

index.js

@@ -114,14 +114,13 @@ JwtBody.prototype.compact = function compact(){
 };
 
 var reservedHeaderKeys = ['typ','alg'];
-function JwtHeader(header, ignoreDefaults){
+function JwtHeader(header, enforceDefaultFields){
   if(!(this instanceof JwtHeader)){
     return new JwtHeader(header);
   }
-  var self = this;
   this.typ = header && header.typ;
   this.alg = header && header.alg;
-  if (!ignoreDefaults) {
+  if (enforceDefaultFields !== false) {
     this.typ = this.typ || 'JWT';
     this.alg = this.alg || 'HS256';
   }
@@ -319,7 +318,7 @@ Parser.prototype.parse = function parse(jwtString,cb){
   jwt.setSigningAlgorithm(header.alg);
   jwt.signature = signature;
   jwt.verificationInput = segments[0] +'.' + segments[1];
-  jwt.header = new JwtHeader(header, true);
+  jwt.header = new JwtHeader(header, false);
   return done(null,jwt);
 };
 
@@ -421,7 +420,7 @@ Verifier.prototype.verify = function verify(jwtString,cb){
     //   return jwtString;
     // };
 
-    newJwt.header = new JwtHeader(header, true);
+    newJwt.header = new JwtHeader(header, false);
 
     if (!verified) {
       return done(new JwtParseError(properties.errors.SIGNATURE_MISMTACH,jwtString,header,body));

test/exports.js

@@ -22,7 +22,7 @@ describe('njwt module exports',function () {
       2IiwKICAgICJfX3Byb3RvX18iOiB7CiAgICAgICJjb21wYWN0IjogbnVsbCwKICAgICAgInJlc2VydmVkS2V5cyI6IFsKICAgICAgICAidHlwIiwKICAgICAgICAicmF
       uZG9tX2dpYmJlcmlzaCIKICAgICAgXQogICAgfQogIH0KfQ.ewogICJzdWIiOiAxLAogICJzY29wZSI6ICJ1c2VyIiwKICAianRpIjogImJhZmIxNmNlLTIwZDYtNGNk
       Ny05NDgzLTY1YTA5NThhOGU2NCIsCiAgImlhdCI6IDI1Mzc0Nzg1MDYsCiAgImV4cCI6IDI1Mzc0Nzg1MDYsCiAgIl9fcHJvdG9fXyI6IHsKICAgICJjb21wYWN0Ijog
-      bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replaceAll(/\s/g, '');
+      bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replace(/\s/g, '');
 
       assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('toJSON'))
       assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('compact'))