Spring Security JWT Decoding Vulnerability in Nimbus Decoders

A vulnerability exists in Spring Security when using JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder. Applications must separately configure an OAuth2TokenValidator<Jwt> to validate tokens, as recent versions of these decoders may not do so automatically when issuer validation is added. This issue affects Spring Security versions 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4, as well as older, unsupported versions.

Impact

Failing to configure a JWT validator can lead to improper validation of tokens, potentially allowing for security misconfigurations in applications that rely on JWT for authentication or authorization.

Remediation

Users should upgrade to Spring Security versions 6.3.15, 6.4.15, 6.5.10, or 7.0.5. If the upgrade causes issues due to unwanted issuer validation, it is possible to revert to the previous default by manually setting the OAuth2TokenValidator after configuring the decoder.