Insufficient Verification of Data Authenticity
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code decodes a JWT token without verifying its signature, which means it trusts the token’s contents without checking if they were tampered with. Always verify a JWT before using its data to ensure it hasn’t been forged or altered.
Impact#
If exploited, an attacker could craft fake JWT tokens with arbitrary claims (such as elevated privileges or user IDs) and the application would accept them as valid. This can lead to unauthorized access, privilege escalation, and serious breaches of data or functionality.