javascript.jose.security.jwt-none-alg.jwt-none-alg
Verifed by r2c
Community Favorite

Author
52,412
Download Count*
License
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-none-alg
message: Detected use of the 'none' algorithm in a JWT token. The 'none'
algorithm assumes the integrity of the token has already been verified.
This would allow a malicious actor to forge a JWT token that will
automatically be verified. Do not explicitly use the 'none' algorithm.
Instead, use an algorithm such as 'HS256'.
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
asvs:
section: "V3: Session Management Verification Requirements"
control_id: 3.5.3 Insecue Stateless Session Tokens
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
version: "4"
category: security
technology:
- jose
- jwt
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- javascript
- typescript
severity: ERROR
pattern-either:
- pattern: |
var $JOSE = require("jose");
...
var { JWK, JWT } = $JOSE;
...
var $T = JWT.verify($P, JWK.None,...);
- pattern: |
var $JOSE = require("jose");
...
var { JWK, JWT } = $JOSE;
...
$T = JWT.verify($P, JWK.None,...);
- pattern: |
var $JOSE = require("jose");
...
var { JWK, JWT } = $JOSE;
...
JWT.verify($P, JWK.None,...);
Examples
jwt-none-alg.js
// ruleid: jwt-none-alg
const jose = require("jose");
const { JWK, JWT } = jose;
const token = JWT.verify('token-here', JWK.None);
Short Link: https://sg.run/AvRL