JWT Vulnerability

[guymguym]

Environment info

• Version: 1.8
• Deployment: NA
• Customer: NA

Actual behavior

1. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
2. JWT allows the adversary to control the choice of algorithm the server uses to verify the token which can be used in various ways explained in this link.
3. Our exposure is not critical because we use latest version of the library and we do not using asymmetric keys.

Expected behavior

1. We should restrict our validation only to the default algorithm we use (HS256)

Steps to reproduce

1. NA

Screenshots or Logs or other output that would be helpful

(If large, please upload as attachment)

[guymguym]

In addition, JWT_SECRET should be at least 64 chars long.

See https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/

[github-actions]

This issue had no activity for too long - it will now be labeled stale. Update it to prevent it from getting closed.

[github-actions]

This issue had no activity for too long - it will now be labeled stale. Update it to prevent it from getting closed.