Unknown · Golang-Jwt · CVE-2024-51744
**Name of the Vulnerable Software and Affected Versions**
golang-jwt versions prior to 4.5.1
**Description**
The issue arises from unclear documentation of the error behavior in `ParseWithClaims`, potentially leading to situations where users do not properly check errors. Specifically, if a token is both expired and invalid, the errors returned by `ParseWithClaims` include both error codes. If users only check for `jwt.ErrTokenExpired` using `error.Is`, they may ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens.
**Recommendations**
For golang-jwt versions prior to 4.5.1, ensure that you are properly checking for all errors, with "dangerous" ones first, to avoid potentially accepting invalid tokens. Consider updating to version 4.5.1, which includes a fix for the error handling logic, but be aware that this update might break your code due to changes in the behavior of the established `ParseWithClaims` function. If updating to 4.5.1 is not feasible, manually verify the errors returned by `ParseWithClaims`, checking for `jwt.ErrTokenSignatureInvalid` and other critical errors before checking for less severe issues like `jwt.ErrTokenExpired`.