A critical cache poisoning vulnerability exists in the get-jwks library, which is used by multiple products for handling authentication keys. This flaw could allow a remote attacker to trick an application into trusting malicious keys, enabling them to forge authentication tokens and gain unauthorized access to systems and sensitive data. Due to its critical severity, immediate patching is strongly recommended.

The get-jwks library is vulnerable to a cache poisoning attack. The library fetches and caches JSON Web Key Sets (JWKS) based on the issuer (iss) claim within a JSON Web Token (JWT). An attacker can craft a JWT with a malicious iss claim that points to an attacker-controlled server. When the vulnerable application processes this token, it will fetch the JWKS from the malicious endpoint and cache it. Subsequent legitimate authentication attempts will then be validated against the attacker's cached keys, allowing the attacker to forge valid tokens and bypass authentication controls to gain unauthorized access.

This vulnerability is rated as critical severity with a CVSS score of 9.4. Successful exploitation could lead to a complete compromise of the authentication mechanism for affected applications. The potential business impact is severe, including unauthorized access to confidential company data, customer information, and internal systems. This could result in significant data breaches, financial loss, reputational damage, and regulatory penalties. An attacker could potentially escalate privileges and gain full control over affected systems.

Immediate Action: Immediately identify all products using the vulnerable get-jwks library and update them to the latest patched versions as recommended by the respective software vendors. The underlying library should be updated to version 11.0.2 or newer. After patching, monitor systems for any signs of compromise and review authentication and access logs for suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of authentication logs, looking for unusual or malformed iss claims in JWTs. Monitor outbound network traffic from application servers for requests to unexpected or non-standard JWKS endpoints. Set up alerts for unusual spikes in authentication failures or successes, which could indicate a successful cache poisoning event.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a Web Application Firewall (WAF) or API gateway to inspect incoming JWTs and block any tokens containing iss claims that do not match a pre-approved allowlist of trusted issuers.
• Implement strict network egress filtering to prevent the application server from making outbound connections to untrusted URLs, thereby blocking attempts to fetch malicious JWKS files.
• If possible, configure applications to use a static, hardcoded list of trusted JWKS endpoints, disabling the dynamic fetching mechanism based on the token's iss claim.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization. Due to the high CVSS score of 9.4, all system owners must treat this as a top priority. Organizations should immediately initiate their incident response and vulnerability management processes to identify, assess, and remediate all affected systems. Although this CVE is not currently listed on the CISA KEV catalog, its potential for a full authentication bypass warrants immediate action. The remediation and monitoring steps outlined in this report should be implemented without delay to prevent potential compromise.