Affected versions of the
jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.
Update to version 0.3.1 or later.
Additionally, be sure to always specify an algorithm in calls to