SYM_JSTS_0075 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Authentication
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-287: Improper Authentication |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code decodes a JWT token without verifying its signature, which means it accepts any token as valid regardless of who created it. This allows untrusted or tampered tokens to be used in your application.
Impact
If exploited, an attacker could forge JWT tokens with arbitrary claims to impersonate users, escalate privileges, or access protected resources. This can lead to unauthorized access, data breaches, and loss of application integrity.