JWT token decoded without signature verification
Description
JWT decoded without verification. This may allow forged tokens to be accepted. Always call `.verify()` before using claims.
Examples
Insecure Code
java
JWT decodedToken = JWT.decode(token);Secure Code
java
JWT decodedToken = JWT.decode(token); decodedToken.verify();Remediation
Call `.verify()` on the decoded JWT token before using its claims.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0558 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-347 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | jwt, authentication |
| OWASP | A08:2021-Software and Data Integrity Failures |
References
- https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures