CVE-2024-51744

Name of the Vulnerable Software and Affected Versions golang-jwt versions prior to 4.5.1

Description The issue arises from unclear documentation of the error behavior in ParseWithClaims, potentially leading to situations where users do not properly check errors. Specifically, if a token is both expired and invalid, the errors returned by ParseWithClaims include both error codes. If users only check for jwt.ErrTokenExpired using error.Is, they may ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Recommendations For golang-jwt versions prior to 4.5.1, ensure that you are properly checking for all errors, with "dangerous" ones first, to avoid potentially accepting invalid tokens. Consider updating to version 4.5.1, which includes a fix for the error handling logic, but be aware that this update might break your code due to changes in the behavior of the established ParseWithClaims function. If updating to 4.5.1 is not feasible, manually verify the errors returned by ParseWithClaims, checking for jwt.ErrTokenSignatureInvalid and other critical errors before checking for less severe issues like jwt.ErrTokenExpired.