Listen to this Post
The vulnerability exists in the `TryParse` enum and validation logic within src/validation.rs. When a JWT claim like `nbf` or `exp` is sent as an incorrect JSON type (e.g., a string), Serde’s deserialization results in TryParse::FailedToParse. The library’s validation function checks these claims using matches!(claims.nbf, TryParse::Parsed(nbf) if ...). This macro only triggers for the `Parsed` variant, skipping the `FailedToParse` state entirely. Consequently, if the claim is not listed in required_spec_claims, the validation is bypassed. The `FailedToParse` state is erroneously treated as NotPresent, allowing attackers to circumvent time-based security checks by providing malformed, far-future timestamp strings.
Platform: Rust Crate
Version: jsonwebtoken <10.3.0
Vulnerability: Validation Bypass
Severity: Critical
date: 2024-07-24
Prediction: Patch 2024-08-01
What Undercode Say:
cargo new nbf_poc; cd nbf_poc cargo add serde --features derive cargo add jsonwebtoken --features rust_crypto cargo add serde_json
let mut validation: Validation = Validation::new(Algorithm::HS256); validation.validate_nbf = true; // 'nbf' not in required_spec_claims let token_data = decode::<serde_json::Value>(&token, &decoding_key, &validation);
How Exploit:
Craft JWT with `”nbf”:”99999999999″` string claim. Ensure validation flag is enabled but claim is not required.
Protection from this CVE
Update to jsonwebtoken >=10.3.0. Add critical claims (nbf, exp) to `required_spec_claims` validation option.
Impact:
Authentication Bypass. Authorization Bypass. Permanent Token Validity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

