Insecure Storage of Sensitive Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-922: Insecure Storage of Sensitive Information |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code reads data from a JWT token by decoding it, but does not verify whether the token is valid or has been tampered with. This means any data extracted from the token cannot be trusted and may be forged by an attacker.
Impact#
If an attacker provides a malicious or altered JWT, your application could trust and act on fake user data, permissions, or roles, leading to unauthorized access or privilege escalation. This can compromise user accounts, expose sensitive information, or allow unauthorized actions within your app.