CVE-2024-51744

CVSS 3.1 Score 3.1 of 10 (low)

Details

Published Nov 4, 2024
Updated: Nov 5, 2024
CWE ID 755

Summary

CVE-2024-51744 affects the golang-jwt package, a Go implementation of JSON Web Tokens. The issue stems from unclear error documentation in the `ParseWithClaims` function, which can cause users to inadvertently accept invalid tokens. Specifically, if a token is both expired and invalid, `ParseWithClaims` returns both error codes. Users who only check for `jwt.ErrTokenExpired` using `error.Is` will overlook the embedded `jwt.ErrTokenSignatureInvalid`, potentially leading to the acceptance of invalid tokens. A fix has been implemented in the 4.5.1 release, where `ParseWithClaims` returns immediately in "dangerous" situations (e.g., an invalid signature), limiting combined errors to situations where the signature is valid but further validation has failed. However, this change is not backwards compatible and may break existing code. It is recommended that users properly check for all errors to prevent the acceptance of invalid tokens.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share