CVE-2024-51744: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

November 4, 2024 (updated November 12, 2024)

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

References

github.com/advisories/GHSA-29wx-vh33-7x7r
github.com/golang-jwt/jwt
github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
nvd.nist.gov/vuln/detail/CVE-2024-51744

Detect and mitigate CVE-2024-51744 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →