PoC vulnerable web app for CVE-2023-51774?

[postmodern]

Hello, the maintainer of json-jwt contests whether it is even possible to create an application that is vulnerable to CVE-2023-51774. Could you create a PoC web application that demonstrates how to exploit CVE-2023-51774?

[P3ngu1nW]

Hi! Sign/encryption attack1 may lead to authentication bypass, for example: A router will check whether the user's JWT can be verified and consider whether to reject the HTTP request.

In this case, the user can construct a fake JWE to bypass this restriction.

JWcrypto2 has also fixed this problem.

Reference

[postmodern]

A router will check whether the user's JWT can be verified and consider whether to reject the HTTP request.

but is that actually possible in a real application using json-jwt? The maintainer says that the JWT and JWE objects are different enough, that using a decoded JWE object in place of a decoded JWT object would probably result in a NoMethodError exception. Could you try reproducing this in an example Ruby app?

[P3ngu1nW]

It's certainly possible. What I mean is that JWT.decode can also be used to verify the JWT, it does not necessarily need to be used to parse its content.