[JS]: Decoding JWT without any signature Verification

### Query PR

https://github.com/github/codeql/pull/14088

### Language

Javascript

### CVE(s) ID list

- https://www.ghostccamm.com/blog/multi_strapi_vulns/#cve-2023-22893-authentication-bypass-for-aws-cognito-login-provider-in-strapi-versions-456

### CWE

CWE-347

### Report

Some functions of some JWT packages do not verify the JWT signature, and sometimes developers use it by mistake, if developers are using this intentionally then they should be careful about future contributions so I think especially in open source projects It is not recommended to use these unsafe methods.


### Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

- [X] Yes
- [ ] No

### Blog post link

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[JS]: Decoding JWT without any signature Verification #784

Query PR

Language

CVE(s) ID list

CWE

Report

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[JS]: Decoding JWT without any signature Verification #784

Description

Query PR

Language

CVE(s) ID list

CWE

Report

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions