Dmbs335

**Name of the Vulnerable Software and Affected Versions** fast-jwt versions 6.1.0 and earlier **Description** fast-jwt does not validate the 'crit' (Critical) Header Parameter as defined in RFC 7515 §4.1.11. When a JWS token includes a 'crit' array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it, violating the RFC's MUST requirement. This can lead to split-brain verification in mixed-library environments, security policy bypass when 'crit' carries enforcement semantics, and token binding bypass. The `crit` parameter specifies required extensions in the JWT header. If a recipient does not support these extensions, the JWT should be rejected. The proof of concept demonstrates that a token with an unsupported critical extension ('x-custom-policy') is accepted by fast-jwt, while a library like jose correctly rejects it. **Recommendations** Update to a version of fast-jwt that includes validation for the 'crit' header parameter. In `src/verifier.js`, add crit validation after header decoding, ensuring that only supported critical extensions are accepted and that all listed critical extensions are present in the header.

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.42 Description OneUptime, an open-source monitoring and observability platform, had a flaw in its SAML SSO implementation located in `App/FeatureSet/Identity/Utils/SSO.ts`. The issue stemmed from a separation between signature verification and identity extraction. The `isSignatureValid()` function verified the signature of the first <Signature> element using `xml-crypto`, while the `getEmail()` function always retrieved the email from the first assertion via `xml2js`. This allowed an attacker to prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, leading to authentication bypass. Recommendations Update to version 10.0.42 or later.

**Name of the Vulnerable Software and Affected Versions** PyJWT versions prior to 2.12.0 **Description** PyJWT is a Python implementation for handling JSON Web Tokens (JWT). Before version 2.12.0, the library did not properly validate the 'crit' (Critical) Header Parameter as defined in RFC 7515 §4.1.11. Specifically, if a JWT contained a 'crit' array listing extensions that PyJWT did not recognize, the library would accept the token instead of rejecting it, violating the 'MUST' requirement outlined in the RFC. This could lead to security policy bypasses, token binding bypasses, and split-brain verification issues in deployments where different libraries are used with varying levels of compliance. The issue allows for the silent ignoring of RFC 7800 `cnf` (Proof-of-Possession) extensions. A proof of concept demonstrates that a token with an unknown critical extension is accepted by PyJWT, while a compliant library like jwcrypto rejects it. **Recommendations** Versions prior to 2.12.0 should be updated to version 2.12.0 or later.