eShopOnContainers Ordering Service Exposed to Four Vulnerabilities via JWT Token Library

A security audit of the eShopOnContainers repository has uncovered four vulnerabilities within the Ordering.Infrastructure-1.0.0 component, with the highest severity rated at 8.7 on the CVSS scale. The weaknesses originate from a dependency on Microsoft.IdentityModel.JsonWebTokens version 6.10.0, a core library for JSON Web Token handling in .NET environments. The vulnerable package was detected in the Ordering service unit test project at /src/Services/Ordering/Ordering.UnitTests/, indicating the flaw is embedded within the application's dependency chain rather than isolated to experimental code.

The flaws were traced to commit 58162be7965e66c71394dab67f66ed3d7cfaaef5 in the Hieunc-NT/eShopOnContainers fork. Affected code paths run through the NuGet package at microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg, a component frequently used in microservices architectures for token validation and claims processing. Among the vulnerabilities flagged is at least one CVE entry dated 2024. The WhiteSource scanner identified that remediation is possible, suggesting a patched version of the dependency exists or is available.

The exposure carries particular weight given eShopOnContainers' status as a canonical reference implementation for microservices-based e-commerce systems. Applications adopting its patterns—particularly those handling authentication, authorization, or session management through JWT tokens—may inherit similar risk if dependencies are not updated. Organizations leveraging Microsoft.IdentityModel.JsonWebTokens should verify their deployed versions against the identified CVE entries and apply available patches without delay. The 8.7 severity rating places these flaws in the High range, where successful exploitation could enable privilege escalation or unauthorized data access.