Jérôme Leleu

**Name of the Vulnerable Software and Affected Versions** pac4j versions 5.3.0 and prior pac4j versions 5.1 and earlier **Description** The issue concerns the support of the "none" algorithm by an OpenID Connect provider, which allows tokens with no signature. This algorithm does not require signature verification when validating ID tokens, enabling an attacker to bypass token validation by injecting a malformed ID token using "none" as the value of the `alg` key in the header with an empty signature value. This behavior violates the OpenID Core Specification and is not secure. **Recommendations** For pac4j versions 5.3.0 and prior, ensure explicit configuration to refuse the "none" algorithm. For pac4j versions 5.1 and earlier, update the configuration to reject ID tokens with the "none" algorithm to prevent token validation bypass. As a temporary workaround, consider disabling the use of the "none" algorithm for ID token validation until a proper fix is applied.