Panagiotisvasilikos

**Name of the Vulnerable Software and Affected Versions** ESPv2 versions 2.20.0 through 2.42.0 **Description** The issue allows API clients to bypass JWT authentication by crafting a malicious `X-HTTP-Method-Override` header value under specific conditions. This occurs when the requested HTTP method is not in the API service definition, and the specified `X-HTTP-Method-Override` is a valid HTTP method in the API service definition. As a result, ESPv2 will forward the request to the backend without checking the JWT, enabling attackers to bypass authentication. Restricting API access with API keys is not affected by this issue. **Recommendations** Upgrade deployments to release v2.43.0 or higher to receive a patch, ensuring JWT authentication occurs even when the caller specifies `x-http-method-override`. As a temporary workaround, consider restricting the use of the `X-HTTP-Method-Override` header until the patch is applied.