Authorization bypass in github.com/dgrijalva/jwt-go
High severity
GitHub Reviewed
Published
May 18, 2021
to the GitHub Advisory Database
•
Updated May 20, 2024
Description
Published by the National Vulnerability Database
Sep 30, 2020
Reviewed
May 18, 2021
Published to the GitHub Advisory Database
May 18, 2021
Last updated
May 20, 2024
jwt-go allows attackers to bypass intended access restrictions in situations with
[]string{}
form["aud"]
(which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1References