GHSA-hxhc-wmg8-xrqf: namshi/jose insecure JSON Web Signatures (JWS)

May 17, 2024

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with ’none’ algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

References

github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml
github.com/advisories/GHSA-hxhc-wmg8-xrqf
github.com/namshi/jose
github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e

Detect and mitigate GHSA-hxhc-wmg8-xrqf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →