Description

This publicly exposed API endpoint accepts unsigned JWTs. The JWT specification allows for unsecured JWTs where the algorithm is set to “none” and no signature is provided.

When an endpoint accepts JWTs with the “none” algorithm, it means that:

1. No cryptographic signature verification is performed
2. The JWT payload is trusted without any authentication of its integrity
3. Anyone can create a valid JWT by simply setting the algorithm to “none” and removing the signature

Remediation

To fix this vulnerability, reject unsigned JWTs: Configure your JWT validation library to explicitly reject JWTs with "alg": "none". If that’s not possible, manually review the parsed JWT and reject it if the algorithm is none.