Authentication Bypass by Spoofing

Summary

The fast-jwt package provides a fast JSON Web Token (JWT) implementation. The fast-jwt library did not properly validate the iss claim according to RFC 7519. The iss (issuer) claim validation within the fast-jwt library allowed an array of strings to be a valid iss value. This design flaw enabled a potential attack where a malicious actor could craft a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT would be deemed valid. Furthermore, if the application relied on external libraries like get-jwks that did not independently validate the iss claim, the attacker could exploit this vulnerability to forge a JWT that would be accepted by the victim application. Essentially, the attacker could insert their own domain into the iss array alongside the legitimate issuer, bypassing the intended security checks. This issue affects versions prior to 5.0.6.