fast-jwt Authentication Bypass Vulnerability Allowing JWT Forgery

A critical authentication-bypass vulnerability has been identified in fast-jwt versions through 6.2.3. This vulnerability allows unauthenticated attackers to forge JSON Web Tokens (JWTs) that are accepted as valid. The issue arises in the library's asynchronous key-resolver flow, where an empty string returned by the key resolver is converted into a zero-length Buffer. This empty key is then used to create a secret key for HMAC signing, allowing attackers to compute a valid signature for a forged token. The vulnerability is exploitable by anyone who can send a JWT to be verified, making it a serious security risk for applications using fast-jwt with a function-typed key resolver.

Impact

Exploitation of this vulnerability allows attackers to mint arbitrary JWTs with chosen claims, such as 'sub', 'admin', and 'scopes', which are then accepted as authentic by the application. This could lead to unauthorized access or privileges, depending on how the application uses JWT claims for authorization. Additionally, once a forged token is accepted, fast-jwt caches the verification result, allowing the forgery to bypass verification for subsequent requests within the cache's TTL.

Reproduction

To reproduce this vulnerability, use fast-jwt version 6.2.3 and set up a verifier with an asynchronous key resolver that returns an empty string or a zero-length Buffer. Ensure that the library is configured to allow HMAC signatures, which is the default setting. Once the verifier is in place, forge a JWT by signing it with an empty key using HMAC-SHA256. The forged token can then be verified using the vulnerable key resolver, which will accept the token as valid.

Remediation

Users can upgrade to fast-jwt version 6.2.4, where this vulnerability has been fixed. The patch involves rejecting zero-length HMAC secrets in the key preparation function, preventing the authentication bypass.