GMS-2015-7: JWT Verification bypass

March 31, 2015

It is possible for an attacker to bypass verification when “a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)”.

References

auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b

Detect and mitigate GMS-2015-7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →