Keats jsonwebtoken Type Confusion Vulnerability Allowing Authorization Bypass

A type confusion vulnerability has been identified in the jsonwebtoken library for Rust, prior to version 10.3.0. The issue arises in the claim validation logic, where standard claims like 'nbf' or 'exp' can be provided with incorrect JSON types, such as strings instead of numbers. This misalignment causes the library's parsing mechanism to mark the claim as 'FailedToParse'. The validation logic then treats this 'FailedToParse' state the same as 'NotPresent', creating a loophole. If a validation check is enabled for a claim, but the claim is not explicitly marked as required, the library will skip the validation for the malformed claim. This flaw allows attackers to bypass important time-based security checks, such as 'Not Before' validations, potentially leading to unauthorized access or actions.

Impact

Exploiting this vulnerability can result in bypassing time-based claims validation, such as 'Not Before' and 'Expiration' checks, allowing tokens to be accepted when they should be invalid.

Reproduction

To reproduce this vulnerability, create a JWT token using the jsonwebtoken library version 10.2.0. Include a 'nbf' or 'exp' claim as a string instead of a number. When the token is decoded with validation checks enabled for these claims, the library will incorrectly treat the malformed claims as if they were not present, bypassing the validation. This can be demonstrated with a simple Rust program that forges a token with a string 'nbf' claim representing a far-future date, which is then accepted during validation despite being malformed.

Remediation

Users can upgrade to jsonwebtoken version 10.3.0 or later, where this vulnerability has been patched.