Name of the Vulnerable Software and Affected Versions: identity-token-verifier versions prior to 0.5.2

Description: A verification flaw in the identity token verifier library allows Demonstration of Proof-of-Possession (DPoP) proofs to be spoofed, potentially giving an attacker total access to a targeted Pod. DPoP proofs are used to bind access tokens to a private key, but the library verifies against a field that can be modified by an attacker, allowing the rebinding of a DPoP-bound access token.

Recommendations: For versions prior to 0.5.2, update to version 0.5.2 to fix the verification flaw in the identity-token-verifier library. As a temporary workaround, consider restricting access to the DPoP.ts function until a patch is available.