CVE-2016-10555

Name of the Vulnerable Software and Affected Versions jwt-simple versions 0.3.0 and earlier

Description The issue allows a malicious user to choose the algorithm sent to the server, potentially bypassing authentication. If the server expects RSA but receives HMAC-SHA with RSA's public key, it may incorrectly interpret the public key as an HMAC private key, enabling the forging of any desired data. This behavior can be exploited to modify the contents of a JWT while still passing verification, resulting in a complete authentication bypass.

Recommendations Update to version 0.3.1 or later. Always specify an algorithm in calls to decode().