Skip to content

JWT signature validation can be bypassed in versions <= 1.3.0  #3

Closed
@rcadob

Description

@rcadob

Summary

The prime-jwt implementation allows that any not-signed JWT be decoded and, therefore, validated by JWTDecoder class, even when a Verifier object is provided. This issue affects versions <= 1.3.0.

For security reasons, I'm contacting the developers by email with the necessary technical details.

Description

When the JWT.getDecoder().decode(String, Verifier...) is called, the JWT signature will be ignored due to a lack of validation in JWTDecoder. A new condition should be added in this class to prevent that any encodedJWT without the signature part be decoded if exists at least 1 verifier object.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions