Vulnerabilities / Weak JWT HMAC secret
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
↓
Severity
High
CWE Name
Weak JWT HMAC secret
CWE ID
CWE-345
CVSS Score
7.5
Compliance
OWASP TOP10 -> A8
ISO27001 -> A.8.2, A.8.3, A.8.5, A.8.24, A.8.26
ISO27001 -> A.8.2, A.8.3, A.8.5, A.8.24, A.8.26
The secret used to create the JWT signature can be guessed easily. If the JWT is used to control access to the application, an attacker could take advantage of this vulnerability to forge a token and impersonate other users or even elevate privileges.
How to fix
To fix this issue, you must use a secret that cannot be guessed. For instance, if you use
hs256as a signing algorithm, ensure its key has at least 256 bits. To generate a key with the desired length, use a cryptographically secure random generator function to generate a 32 bytes string (256 bits).
