GMS-2015-6: JWT Verification bypass

March 31, 2015

It is possible for an attacker to bypass verification when “a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)”. It is also possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the “none” algorithm.

References

auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a

Detect and mitigate GMS-2015-6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →