SYM_RB_0004 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficient Verification of Data Authenticity
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code decodes JWT tokens without verifying their signature, which means it accepts tokens without checking if they are genuine. This allows untrusted or tampered tokens to be used in your application.
Impact
If exploited, attackers could forge JWT tokens with any claims they want (such as elevated privileges or fake user identities), leading to unauthorized access, privilege escalation, or data breaches. This can compromise user accounts and the overall security of the application.