namshi/jose insecure JSON Web Signatures (JWS)

Published: May 17, 2024
Updated: Jun 27, 2024
GHSA: <a href="https://github.com/advisories/GHSA-hxhc-wmg8-xrqf" target="_blank" rel="noopener"> GHSA-hxhc-wmg8-xrqf
Severity: High
Exploit:

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.