Authlib JWT Signature Bypass Vulnerability

A vulnerability in Authlib, a Python library for building OAuth and OpenID Connect servers, allows for signature verification bypass of JSON Web Tokens (JWTs). This issue affects Authlib versions 1.6.5 and 1.6.6, and was introduced in version 1.6.0. The vulnerability arises when a JWT is crafted with the 'alg' header set to 'none' and an empty signature. In this scenario, the library incorrectly accepts the token as valid, bypassing the expected signature verification. This flaw could lead to serious consequences, such as authentication bypass, privilege escalation, unauthorized access, or unauthorized modification of application data.

Impact

Exploitation of this vulnerability allows for JWTs to be accepted as valid without proper signature verification, enabling the use of forged tokens in authentication or authorization processes.

Reproduction

The vulnerability can be reproduced by creating a JWT with the 'alg' header set to 'none' and an empty signature. When this token is passed to a function that verifies JWT signatures, it will be accepted as valid, despite being maliciously crafted.

Remediation

Users should upgrade to Authlib version 1.6.7, where this vulnerability has been patched.