You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hi i just noticed while looking at your code, which is very helpful for workers btw, that there is no validation if the token algo is the same as the one specified in verify() which i would expect around here.
there is a nice writeup on the auth0 site where they explain why this could be a critical security vuln.
basically it boils down to the server checking the rs256 signature while an attacker sends a hs256 signature.
i could create a pull request to fix this if you want but it more or less boils down to if (header.alg != options.alg) throw new Error('ALG_MISMATCH')
The text was updated successfully, but these errors were encountered:
hi i just noticed while looking at your code, which is very helpful for workers btw, that there is no validation if the token algo is the same as the one specified in
verify()
which i would expect around here.there is a nice writeup on the auth0 site where they explain why this could be a critical security vuln.
basically it boils down to the server checking the rs256 signature while an attacker sends a hs256 signature.
i could create a pull request to fix this if you want but it more or less boils down to
if (header.alg != options.alg) throw new Error('ALG_MISMATCH')
The text was updated successfully, but these errors were encountered: