Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Sensitive data is being included directly in the payload of a JWT token using jwt.encode(). Anyone with access to the token can decode it and view this information, since JWT payloads are only base64-encoded, not encrypted.
Impact#
Exposing sensitive information such as passwords, credentials, or personal user data in JWTs can lead to data leaks and privacy breaches. Attackers or unauthorized parties could decode intercepted tokens and gain access to this confidential information, putting users and the application at risk.