Forgeable Public/Private Tokens in jwt-simple

2018-11-06T23:12:07
ID GHSA-VGRX-W6RG-8FQF
Type github
Reporter GitHub Advisory Database
Modified 2021-01-08T01:57:18

Description

Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.

Recommendation

Update to version 0.3.1 or later.

Additionally, be sure to always specify an algorithm in calls to .decode().