Insufficient Verification of Data Authenticity
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code decodes a JWT token without verifying its signature, which means it accepts any token as valid regardless of who created it. Without verification, the token’s contents and claims cannot be trusted.
Impact#
An attacker could forge JWT tokens with arbitrary claims (such as user roles or permissions) and gain unauthorized access or escalate privileges in your application. This can lead to data breaches, account takeover, or other serious security incidents.