CVE-2022-25898 Security fix in JWS and JWT validation

ChangeLog.txt

@@ -1,6 +1,19 @@
 
 ChangeLog for jsrsasign
 
+CVE-2022-25898 Security fix in JWS and JWT validation
+* Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
+ - src/jws.js
+ - JWS.verify and JWS.verifyJWT
+ - CVE-2022-25898 SECURITY FIX: 
+ verify and verifyJWT may accept signature with special characters 
+ or \number characters by mistake.
+ Please see security advisory:
+ https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf
+ - src/base64x.js
+ - function isBase64URLDot added
+ - test/qunit-do-jwt-veri.html
+
 X509.getParam bugfix for v1 certificate
 * Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
  - src/x509.js

README.md

@@ -39,7 +39,7 @@ HIGHLIGHTS
 - no dependency to other library
 - no dependency to [W3C Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/) nor [OpenSSL](https://www.openssl.org/)
 - no dependency on newer ECMAScirpt function. So old browsers also supported. 
-- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-01)
+- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-20)
 
 INSTALL
 -------
@@ -78,6 +78,7 @@ MORE TUTORIALS AND SAMPLES
 
 |published|fixed version|title/advisory|CVE|CVSS|
 |:---|:---|:---|:---|:---|
+|2022Jun24|10.5.25|[JWS and JWT signature validation vulnerability with special characters](https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf)|CVE-2022-25898|?|
 |2021Apr14|10.2.0|[RSA signature validation vulnerability on maleable encoded message](https://github.com/kjur/jsrsasign/security/advisories/GHSA-27fj-mc8w-j9wg)|CVE-2021-30246|9.1|
 |2020Jun22|8.0.19|[ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding](https://github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963)|CVE-2020-14966|5.5|
 |2020Jun22|8.0.18|[RSA RSAES-PKCS1-v1_5 and RSA-OAEP decryption vulnerability with prepending zeros](https://github.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g4)|CVE-2020-14967|4.8|

api/files.html

@@ -681,7 +681,7 @@ <h2><a href="symbols/src/base64x-1.1.js.html">base64x-1.1.js</a></h2>
 
 
  <dt class="heading">Version:</dt>
- <dd>jsrsasign 10.5.23 base64x 1.1.29 (2022-May-27)</dd>
+ <dd>jsrsasign 10.5.25 base64x 1.1.30 (2022-Jun-23)</dd>
 
 
 
@@ -776,7 +776,7 @@ <h2><a href="symbols/src/jws-3.3.js.html">jws-3.3.js</a></h2>
 
 
  <dt class="heading">Version:</dt>
- <dd>jsrsasign 8.0.3 jws 3.3.11 (2018-Mar-11)</dd>
+ <dd>jsrsasign 10.5.25 jws 3.3.12 (2022-Jun-23)</dd>
 
 
 

api/symbols/global__.html

@@ -879,6 +879,16 @@ <h1 class="classTitle">
  </td>
  </tr>
 
+ <tr>
+ <td class="attributes">&lt;static&gt; &nbsp;</td>
+ <td class="nameDescription">
+ <div class="fixedFont"><b><a href="../symbols/global__.html#.isBase64URLDot">isBase64URLDot</a></b>(s)
+ </div>
+ <div class="description">check whether a string is a base64url encoded string and dot or not<br/>
+Input string can conclude new lines or space characters.</div>
+ </td>
+ </tr>
+
  <tr>
  <td class="attributes">&lt;static&gt; &nbsp;</td>
  <td class="nameDescription">
@@ -3184,6 +3194,66 @@ <h1 class="classTitle">
 
 
 
+ <hr />
+
+ <a name=".isBase64URLDot"> </a>
+ <div class="fixedFont">&lt;static&gt; 
+
+ <span class="light">{Boolean}</span>
+ <b>isBase64URLDot</b>(s)
+
+ </div>
+ <div class="description">
+ check whether a string is a base64url encoded string and dot or not<br/>
+Input string can conclude new lines or space characters.
+
+ <br />
+ <i>Defined in: </i> <a href="../symbols/src/base64x-1.1.js.html">base64x-1.1.js</a>.
+
+
+ </div>
+
+
+
+ <pre class="code">isBase64URLDot("YWE") &rarr; true
+isBase64URLDot("YWE.YWE.YWE") &rarr; true
+isBase64URLDot("YW-") &rarr; true
+isBase64URLDot("YW+") &rarr; false</pre>
+
+
+
+
+ <dl class="detailList">
+ <dt class="heading">Parameters:</dt>
+
+ <dt>
+ <span class="light fixedFont">{String}</span> <b>s</b>
+
+ </dt>
+ <dd>input string</dd>
+
+ </dl>
+
+
+
+ <dl class="detailList">
+ <dt class="heading">Since:</dt>
+ <dd>base64x 1.1.30 jsrsasign 10.5.25</dd>
+ </dl>
+ </dl>
+
+
+
+ <dl class="detailList">
+ <dt class="heading">Returns:</dt>
+
+ <dd><span class="light fixedFont">{Boolean}</span> true if a string "s" is a base64url encoded string and dot otherwise false</dd>
+
+ </dl>
+
+
+
+
  <hr />
 
  <a name=".ishex"> </a>