CRITICALCWE-345Authentication
JWT 'None' Algorithm Attack
Description
Your JWT verification library accepts tokens signed with the 'none' algorithm, allowing attackers to forge valid tokens without knowing the secret.
How Vezraa Detects It
We craft JWTs with alg: 'none' and test them against your protected endpoints.
Real-World Impact
Complete authentication bypass. An attacker can forge a token for any user by setting the algorithm to 'none' and omitting the signature.
Fix Example
// BAD — accepts 'none'
jwt.verify(token, secret);
// GOOD — require algorithm
jwt.verify(token, secret, { algorithms: ['HS256'] });Affected Stacks
JWTNode.jsPythonAll JWT implementations