Use of a Broken or Risky Cryptographic Algorithm
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code is allowing or generating JWT tokens using the ’none’ algorithm, which means the token is not cryptographically signed. This leaves the application vulnerable because anyone can create or modify tokens that will be accepted as valid.
Impact#
If exploited, an attacker could forge JWT tokens to impersonate users or escalate privileges, bypassing authentication and authorization checks. This could lead to unauthorized access to sensitive data or critical functions, putting both user data and system integrity at risk.