namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with ‘none’ algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.
Vendor | Product | Version | CPE |
---|---|---|---|
namshi | namshi\/jose | * | cpe:2.3:a:namshi:namshi\/jose:*:*:*:*:*:*:*:* |