You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi mall-cook/packages/mall-cook-service uses hardcoded jwt secret to sign and decode jwt tokens, which makes it vulnerable to forging token and impersonate as a valid user and it also uses jwt.decode() instead of jwt.verify() function to decode tokens, which does not validate token signature while decoding token, which also may result in token forging by attackers.
pull request with fix for above mentioned vulnerabilities #59
Hi
mall-cook/packages/mall-cook-service
uses hardcoded jwt secret to sign and decode jwt tokens, which makes it vulnerable to forging token and impersonate as a valid user and it also usesjwt.decode()
instead ofjwt.verify()
function to decode tokens, which does not validate token signature while decoding token, which also may result in token forging by attackers.pull request with fix for above mentioned vulnerabilities #59
see https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ for more details
The text was updated successfully, but these errors were encountered: