JWT Signature Bypass via unvalidated jku parameter
Description
This vulnerability occurs when a JSON Web Token (JWT) implementation fails to properly validate the 'jku' (JWK Set URL) header parameter. The 'jku' parameter specifies a URL where the JSON Web Key Set (JWKS) containing the public keys for signature verification can be retrieved. When this parameter is not validated against a whitelist of trusted URLs, an attacker can point it to a malicious server hosting their own JWKS. This allows the attacker to sign forged tokens with their own private key, which the application will then validate using the attacker-controlled public key, effectively bypassing JWT signature verification entirely.
Remediation
Implement strict validation of the 'jku' parameter by maintaining an allowlist of trusted URLs authorized to host JWKS files. Validate the complete URL including protocol, domain, and path—not just the domain. Disable HTTP redirects when fetching JWKS to prevent redirect-based bypasses. Consider the following implementation approaches:
Option 1 (Recommended): Disable 'jku' parameter support entirely and configure JWKS URLs directly in your application configuration.
Option 2: Implement strict URL validation:
// Example validation (Node.js)
const ALLOWED_JKU_URLS = [
'https://trusted-auth-server.example.com/.well-known/jwks.json'
];
function validateJku(jkuUrl) {
if (!ALLOWED_JKU_URLS.includes(jkuUrl)) {
throw new Error('JKU URL not in allowlist');
}
return jkuUrl;
}
// When fetching JWKS, disable redirects
const response = await fetch(validateJku(jkuUrl), {
redirect: 'manual'
});
Ensure your JWT library is configured to reject tokens with untrusted 'jku' values before signature verification occurs.