Seems client can pass any token with none algo
baverman opened this issue · 3 comments
There is no list of acceptable algos in decode method and attacker can forge token with none algo and it will be valid.
Yes, I just ran into the same issue while testing out this library, and for that reason switched to a different implementation. The "none" algorithm attack is well known and should really be fixed.
For some more information:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Thank you both for notifying about use of none
algorithm.
I'm aware of this vector and have implemented algorithms
parameter on JWT.decode which for explicitly specify algorithms to be used on a1dc918. In addition, drop none
algorithm from supported_signing_algorithms
by default.
I will publish this version on PyPI soon.
I have just release v0.6.0.
Thank you.