Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Unvalidated JWT x5u parameter - Vulnerability Database

Unvalidated JWT x5u parameter

Description

The application does not properly validate the 'x5u' (X.509 URL) parameter in JWT headers, which specifies a URL pointing to the X.509 certificate chain used for signature verification. When this parameter is accepted without validation, attackers can reference their own malicious certificate hosted on an external server, allowing them to forge valid JWTs with arbitrary claims and potentially gain unauthorized access. This vulnerability also enables Server-Side Request Forgery (SSRF) attacks, as the server will make outbound requests to attacker-controlled URLs.

Remediation

Implement strict validation controls for the 'x5u' parameter to prevent both JWT forgery and SSRF attacks:

1. Implement URL Whitelisting: Create an explicit allowlist of trusted domains or URLs authorized to host X.509 certificates. Reject any 'x5u' values that do not match this whitelist.

// Example: Java implementation
private static final Set<String> ALLOWED_X5U_HOSTS = Set.of(
    "https://trusted-cert-server.example.com",
    "https://auth.yourcompany.com/certs"
);

public boolean isValidX5uUrl(String x5uUrl) {
    try {
        URL url = new URL(x5uUrl);
        String normalizedUrl = url.getProtocol() + "://" + url.getHost();
        return ALLOWED_X5U_HOSTS.stream()
            .anyMatch(allowed -> normalizedUrl.startsWith(allowed));
    } catch (MalformedURLException e) {
        return false;
    }
}

2. Disable HTTP Redirects: Configure your HTTP client to reject redirects when fetching certificates to prevent bypass attempts.

3. Validate the Complete URL: Parse and validate the entire URL structure including protocol (enforce HTTPS), hostname, and path. Do not rely on simple string matching that can be bypassed with URL encoding or special characters.

4. Consider Alternative Approaches: Where possible, use the 'x5c' parameter (embedded certificate chain) instead of 'x5u', or implement a local certificate store rather than fetching certificates from remote URLs.

5. Implement Network-Level Controls: Restrict outbound connections from application servers to only necessary destinations using firewall rules or network segmentation.

References

Fun With JWT X5u

Related Vulnerabilities

SAP BO BIP SSRF (CVE-2020-6308) Medium
Common tags: OOB Vulnerabilities SSRF
Oracle Weblogic T3 XXE (CVE-2019-2888) High
Common tags: OOB Vulnerabilities SSRF
Paperclip gem SSRF (Server side request forgery) High
Common tags: OOB Vulnerabilities SSRF
Reverse proxy misrouting High
Common tags: OOB Vulnerabilities SSRF
Oracle E-Business Suite SSRF (CVE-2025-61882) Critical
Common tags: OOB Vulnerabilities SSRF

Severity

High

Classification

CWE-287
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

OOB Vulnerabilities
SSRF