Summary The fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. Details The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM formats for public keys. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work if the victim application utilizes a public key containing the BEGIN RSA PUBLIC KEY header. PoC Take a server running the following code: “`javascript const express = require('express'); const { createSigner, createVerifier } = require('fast-jwt') const fs = require('fs'); const path = require('path'); const app = express(); const port = 3000; // Load the keys from the file const publicKeyPath = path.join(__dirname, 'public_key.pem'); const publicKey = fs.readFileSync(publicKeyPath, 'utf8'); const privateKeyPath = path.join(__dirname, 'key'); const privateKey = fs.readFileSync(privateKeyPath, 'utf8'); app.use(express.json()); // Endpoint to generate a JWT token with admin: False app.get('/generateToken', async (req, res) => { const payload = { admin: false, name: req.query.name }; const signSync = createSigner({ algorithm: 'RS256', key: privateKey }); const token = signSync(payload); res.json({ token }); }); // Middleware to verify the JWT token function verifyToken(req, res, next) { const token = req.query.token; const verifySync =…Read More