jsonwebtoken, Type Confusion, CVE-2024-37963 (Critical)

Listen to this Post

The vulnerability exists in the `TryParse` enum and validation logic within src/validation.rs. When a JWT claim like `nbf` or `exp` is sent as an incorrect JSON type (e.g., a string), Serde’s deserialization results in TryParse::FailedToParse. The library’s validation function checks these claims using matches!(claims.nbf, TryParse::Parsed(nbf) if ...). This macro only triggers for the `Parsed` variant, skipping the `FailedToParse` state entirely. Consequently, if the claim is not listed in required_spec_claims, the validation is bypassed. The `FailedToParse` state is erroneously treated as NotPresent, allowing attackers to circumvent time-based security checks by providing malformed, far-future timestamp strings.
Platform: Rust Crate
Version: jsonwebtoken <10.3.0
Vulnerability: Validation Bypass
Severity: Critical
date: 2024-07-24

Prediction: Patch 2024-08-01

What Undercode Say:

cargo new nbf_poc; cd nbf_poc
cargo add serde --features derive
cargo add jsonwebtoken --features rust_crypto
cargo add serde_json
let mut validation: Validation = Validation::new(Algorithm::HS256);
validation.validate_nbf = true;
// 'nbf' not in required_spec_claims
let token_data = decode::<serde_json::Value>(&token, &decoding_key, &validation);

How Exploit:

Craft JWT with `”nbf”:”99999999999″` string claim. Ensure validation flag is enabled but claim is not required.

Protection from this CVE

Update to jsonwebtoken >=10.3.0. Add critical claims (nbf, exp) to `required_spec_claims` validation option.

Impact:

Authentication Bypass. Authorization Bypass. Permanent Token Validity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top