A vulnerability has been found in numerous JSON web token libraries across multiple languages. The vulnerability allows malicious users to bypass the token’s verification step by manipulating the algorithm and payload fields within the token. By manipulating the algorithm field a user can choose how the server will verify the token. By obtaining the server’s public key and abusing the ability to choose which algorithm is employed to verify a token, a user can ensure that the token they supply will be verified.
The author of the article suggests that libraries should implement an algorithm field in their verification functions. The server knows which algorithm it is using and should only accept tokens using a matching algorithm since there is no reason the user should be supplying which algorithm to use.