GMS-2015-4: JWT Verification bypass with "none" algorithm

March 31, 2015

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the “none” algorithm.

References

auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
www.timmclean.net/2015/02/25/jwt-alg-none.html

Code Behaviors & Features

Detect and mitigate GMS-2015-4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →