JWT Forgery via unvalidated jku parameter

Severity: High

Invicti detected a missing validation of the jku parameter in a JSON Web Token's header. This allows for the forgery of valid JSON Web Tokens with arbitrary payloads.


Attackers might be able to tamper with the values inside the JWT token payload and escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution. Additionally they may be able to trigger a blind SSRF attack.


In order to fix this vulnerability,  you need to implement a whitelist of URLs that are allowed to host a JWK file, specified in the jku header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and path and disable HTTP redirection for the HTTP library responsible for the token retrieval.

Further Reading#

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works