Affected versions of the jwt-simple
package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the end result is a complete authentication bypass with minimal effort.
Update to version 0.3.1 or later.
Additionally, be sure to always specify an algorithm in calls to .decode()
.
CPE | Name | Operator | Version |
---|---|---|---|
jwt-simple | le | 0.3.0 |