SYM_GO_0068 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficient Verification of Data Authenticity
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code is decoding JWT tokens using ParseUnverified, which extracts token data without verifying its signature. This means anyone can tamper with the token contents and the code will still trust them as valid.
Impact
If exploited, attackers could forge or modify JWT tokens to gain unauthorized access, escalate privileges, or manipulate user data. This undermines authentication and authorization, leading to serious security breaches such as account takeover or data exposure.