Stevenvegt

**Name of the Vulnerable Software and Affected Versions** nuts-node versions prior to 5.4.31 nuts-node versions prior to 6.2.3 **Description** The v1 access token introspection endpoint '/auth/v1/introspect access token' accepts any JSON Web Token (JWT) signed by a key present on the node without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT—a format used to present credentials—to be replayed as an access token, resulting in an 'active: true' introspection response. The issue occurs because the endpoint performs only standard JWT checks and fails to verify if the `iss` (issuer) claim matches the Decentralized Identifier (DID) extracted from the `kid` (key ID) header, ignores the `typ` (type) header, and allows the `service` claim to be empty. **Recommendations** Update to version 5.4.31 or later. Update to version 6.2.3 or later. As a temporary workaround, resource servers should explicitly validate introspection responses by rejecting those where the `service` claim is empty, where the `iss` claim is empty or does not match the expected authorizer DID, or where the `sub` claim does not match the expected requester DID.