GHSA-88q6-jcjg-hvmw: jose-swift has JWT Signature Verification Bypass via None Algorithm

January 9, 2026

An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting “alg”: “none” in the token header. The library’s verification functions immediately return true for such tokens without performing any cryptographic verification, enabling complete impersonation of any user and privilege escalation.

References

github.com/advisories/GHSA-88q6-jcjg-hvmw
github.com/beatt83/jose-swift
github.com/beatt83/jose-swift/security/advisories/GHSA-88q6-jcjg-hvmw

Detect and mitigate GHSA-88q6-jcjg-hvmw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →