CVE-2019-1010161

Vulnerability

perl-Crypt-JWT versions 0.022 and earlier contain an authentication bypass flaw in the JWT.pm module, specifically in the _decode_jws() function at line 614. The bug is triggered when the decoder does not enforce the presence of a key or verifies the JWT signature incorrectly, allowing an attacker to craft a token that is accepted as valid. The issue was initially reported in reference [1] and affects all versions up to and including 0.022.

Exploitation

An attacker with network connectivity can craft a malicious JWT token that manipulates the header or payload, for example by omitting the expected key or providing a forged RSA public key or symmetric secret. The flawed verification logic in _decode_jws() accepts this crafted token without proper cryptographic validation. No prior authentication or special privileges are needed beyond the ability to send the crafted token to a service using the vulnerable library.

Impact

Successful exploitation bypasses authentication entirely. The attacker can impersonate any user or claim arbitrary access, leading to unauthorized access to resources or actions that would otherwise require authentication. The integrity and authenticity of the token are compromised, making the impact high for any application relying on perl-Crypt-JWT for security.

Mitigation

Upgrade to version 0.023 or later, which fixes the signature verification logic. The official repository and CPAN distribution carry the patched release. No workaround is available for earlier versions, as the flaw is inherent in the decode method. The vendor confirmed the fix in the GitHub issue [1] and in the release notes.