LibJWT Algorithm Confusion Vulnerability Allows JWT Forgery via RSA JWK

A vulnerability in LibJWT versions 3.0.0 through 3.3.2 allows for the forgery of JSON Web Tokens (JWTs) by exploiting algorithm confusion in the handling of RSA JSON Web Key (JWK) verification. When an RSA JWK is provided without an 'alg' parameter, LibJWT's OpenSSL backend mistakenly uses a zero-length key for HMAC verification of HS256, HS384, or HS512 tokens. This flaw enables an attacker to create a valid JWT without knowledge of any secret or RSA private key. The issue arises in applications that load RSA keys from JWK Sets (JWKS) where the 'alg' is omitted—a common scenario in real-world deployments—and then select the verification algorithm based on the JWT header, such as through a key ID lookup callback.

Impact

This vulnerability allows an unauthenticated attacker to forge JWT claims in applications that trust RSA JWKs lacking an 'alg' field and use the JWT header to determine the verification algorithm. The attacker only needs access to the public JWKS, which is typically available by design. Successful exploitation can lead to authentication bypass and privilege escalation by allowing the attacker to manipulate claims such as 'sub', 'role', 'scope', or tenant information.

Reproduction

To reproduce this vulnerability, build LibJWT with the OpenSSL backend and the command-line interface (CLI) tools. Create an RSA JWK that omits the 'alg' field, ensuring it is a public RSA key intended for signature verification. Then, verify a JWT token signed with an empty HMAC key using the JWK without an 'alg' field. The verification should succeed, demonstrating the vulnerability.

Remediation

Users can upgrade to LibJWT version 3.3.3, where this vulnerability has been fixed.