Use of a Broken or Risky Cryptographic Algorithm
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code creates JWT tokens using the ’none’ algorithm, which means the tokens are not cryptographically signed or verified. This allows anyone to forge or modify tokens without detection, making authentication insecure.
Impact#
If exploited, attackers could generate or tamper with JWT tokens to impersonate users or gain unauthorized access to protected resources. This compromises the application’s authentication and could lead to data breaches or privilege escalation.