Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token’s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set ‘verify’ to true before using the token. Likelihood: MEDIUM Confidence: HIGH CWE: - CWE-287: Improper Authentication
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-347: Improper Verification of Cryptographic Signature
OWASP: - A05:2021 - Security Misconfiguration
- A07:2021 - Identification and Authentication Failures