GHSA-88q6-jcjg-hvmw: jose-swift has JWT Signature Verification Bypass via None Algorithm
(updated )
An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting “alg”: “none” in the token header. The library’s verification functions immediately return true for such tokens without performing any cryptographic verification, enabling complete impersonation of any user and privilege escalation.
References
- github.com/advisories/GHSA-88q6-jcjg-hvmw
- github.com/beatt83/jose-swift
- github.com/beatt83/jose-swift/commit/13e5ae6f23ef1487b0dad72540eff414272bd7ca
- github.com/beatt83/jose-swift/pull/62
- github.com/beatt83/jose-swift/releases/tag/6.0.2
- github.com/beatt83/jose-swift/security/advisories/GHSA-88q6-jcjg-hvmw
Detect and mitigate GHSA-88q6-jcjg-hvmw with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →