Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token’s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Likelihood: LOW Confidence: LOW CWE: - CWE-345: Insufficient Verification of Data Authenticity
OWASP: - A08:2021 - Software and Data Integrity Failures
ruby-jwt-exposed-data
The object is passed strictly to jsonwebtoken.sign(…) Make sure that sensitive information is not exposed through JWT token payload. Likelihood: LOW Confidence: LOW CWE: - CWE-522: Insufficiently Protected Credentials
OWASP: - A02:2017 - Broken Authentication
- A04:2021 - Insecure Design