gree/jose - "None" Algorithm treated as valid in tokens

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: <a href="https://github.com/advisories/GHSA-9gxv-x7rp-r2hc" target="_blank" rel="noopener"> GHSA-9gxv-x7rp-r2hc
Severity: Critical
Exploit:

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).