Lucene search

K
osvGoogleOSV:GHSA-HXHC-WMG8-XRQF
HistoryMay 17, 2024 - 10:31 p.m.

namshi/jose insecure JSON Web Signatures (JWS)

2024-05-1722:31:42
Google
osv.dev
6
namshi/jose
json web signatures
vulnerability
$allowunsecure flag
'none' algorithm
security risk

7 High

AI Score

Confidence

High

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with ‘none’ algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

7 High

AI Score

Confidence

High