Headline
GHSA-mx47-h5fv-ghwh: light-oauth2 missing public key verification
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.
light-oauth2 missing public key verification
High severity GitHub Reviewed Published Oct 25, 2023 to the GitHub Advisory Database • Updated Oct 27, 2023
Related news
CVE-2023-31580: A certificate verification issue when get the public key used to verify JWT. · Issue #369 · networknt/light-oauth2
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.