GMS-2015-5: JWT Verification bypass with "none" algorithm

March 31, 2015

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the “none” algorithm.

References

auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636

Detect and mitigate GMS-2015-5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →