CVE-2022-31053
📋 TL;DR
CVE-2022-31053 is a critical authentication bypass vulnerability in Biscuit v1 tokens that allows attackers to forge valid gamma signatures, enabling them to create tokens with any access level. This affects all systems using Biscuit v1 tokens for authentication and authorization in microservices architectures. The vulnerability is present in the specification itself, not just specific implementations.
💻 Affected Systems
- Biscuit authentication tokens
📦 What is this software?
Biscuit Auth by Biscuitsec
Biscuit Go by Biscuitsec
Biscuit Haskell by Biscuitsec
Biscuit Java by Clever Cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of authentication system allowing attackers to impersonate any user, escalate privileges to administrative levels, and bypass all authorization controls across all services using Biscuit tokens.
Likely Case
Attackers forge tokens to gain unauthorized access to protected resources, potentially leading to data breaches, privilege escalation, and lateral movement within microservices environments.
If Mitigated
With proper network segmentation and additional authentication layers, impact could be limited to specific services rather than entire infrastructure.
🎯 Exploit Status
The vulnerability is in the cryptographic specification itself, making exploitation feasible for attackers with sufficient cryptographic knowledge. Academic papers detail the attack methodology.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Biscuit specification version 2
Vendor Advisory: https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr
Restart Required: No
Instructions:
1. Migrate from Biscuit v1 to v2 specification. 2. Update all Biscuit implementations to use v2-compatible libraries. 3. Replace all v1 tokens with v2 tokens across your infrastructure. 4. Update token validation logic to reject v1 tokens.
🔧 Temporary Workarounds
No workarounds available
allThe vulnerability is in the cryptographic specification itself, so there are no configuration-based workarounds.
🧯 If You Can't Patch
- Implement additional authentication layers (e.g., mutual TLS, API gateways with separate auth)
- Deploy network segmentation to limit blast radius of compromised tokens
🔍 How to Verify
Check if Vulnerable:
Check if your authentication system uses Biscuit tokens and verify the token specification version. Review cryptographic implementation against v1 specification.Check Version:
Check your Biscuit library version and ensure it implements v2 specification (e.g., for Rust: cargo tree | grep biscuit)Verify Fix Applied:
Confirm all tokens in use are v2 format and that v1 tokens are rejected. Test that updated implementations properly validate v2 signatures.📡 Detection & Monitoring
Log Indicators:
- Failed token validations with gamma signature errors
- Unusual token generation patterns
- Authentication attempts with malformed tokens
Network Indicators:
- Unusual authentication traffic patterns
- Tokens with unexpected privilege levels
SIEM Query:
auth_token: "biscuit" AND (token_version: "1" OR gamma_signature: *)