The hook
JWT bugs are dangerous because they look like authentication while skipping the proof. If a backend trusts decoded claims without enforcing the signature algorithm and key, an attacker can mint their own identity.
Conas a oibríonn sé
JWT verification must reject unsigned or weakly signed tokens. If an application accepts attacker-controlled token metadata as trusted, identity and authorization claims can be forged.
The blast radius
Accepting an unsigned token can allow forged users, roles, tenants, or admin claims depending on what the app stores in JWT payloads. In multi-tenant apps, this can become cross-account data access.
// what fixvibe checks
What FixVibe checks
FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Use the provider SDK or verifier API, allowlist the expected algorithms, and validate issuer, audience, expiration, and signature before using claims. Add tests for `alg: none`, wrong-key, wrong-issuer, and expired tokens.