CVE-2020-28042
Description
ServiceStack before 5.9.2 fails to enforce JWT signature minimum length, allowing forged tokens to bypass authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ServiceStack before 5.9.2 fails to enforce JWT signature minimum length, allowing forged tokens to bypass authentication.
Vulnerability
Description ServiceStack before version 5.9.2 mishandles JWT signature verification, allowing tokens with arbitrarily short or empty signatures to be accepted. The root cause is the lack of a minimum length check for the JWT signature portion. According to the release notes [2], a patch was introduced to require a minimum signature size, and a custom ValidateToken function can enforce this in older versions.
Exploitation
An attacker can exploit this by crafting a JWT token with an insufficient signature (e.g., removing or minimizing the signature) and presenting it to any endpoint that relies on JWT authentication. No prior authentication is needed; the attacker only requires network access to the target service. The Shielder blog [4] describes how during a penetration test, simply removing the signature resulted in a 200 OK response from authenticated APIs, confirming the bypass.
Impact
Successful exploitation leads to complete authentication bypass, granting the attacker unauthorized access to all JWT-protected resources. This includes potential access to administrative functions, sensitive data, or arbitrary actions depending on the application's authorization logic. The vulnerability can be used to impersonate any user or escalate privileges system-wide.
Mitigation
The vulnerability is fixed in ServiceStack version 5.9.2 [2]. Users unable to upgrade should implement a custom ValidateToken function that checks the signature length, as demonstrated in the release notes: req.GetJwtToken().LastRightPart('.').FromBase64UrlSafe().Length >= 32. No workaround is provided other than this custom validation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ServiceStackNuGet | < 5.9.2 | 5.9.2 |
Affected products
2- ServiceStack/ServiceStackdescription
Patches
1540d4060e877Update EquivalentTo to test length & null for equality as well
1 file changed · +6 −0
src/ServiceStack.Common/EnumerableExtensions.cs+6 −0 modified@@ -234,6 +234,12 @@ public static T FirstNonDefault<T>(this IEnumerable<T> values) [MethodImpl(MethodImplOptions.AggressiveInlining)] public static bool EquivalentTo(this byte[] bytes, byte[] other) { + if (bytes == null || other == null) + return bytes == other; + + if (bytes.Length != other.Length) + return false; + var compare = 0; for (var i = 0; i < other.Length; i++) compare |= other[i] ^ bytes[i];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-v5rv-hpxg-8x49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28042ghsaADVISORY
- forums.servicestack.net/t/servicestack-v5-9-2-released/8850ghsax_refsource_MISCWEB
- github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585eeghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-DOTNET-SERVICESTACK-1035519ghsaWEB
- www.nuget.org/packages/ServiceStackghsaWEB
- www.shielder.it/advisories/servicestack-jwt-signature-verification-bypassghsaWEB
- www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/mitrex_refsource_MISC
- www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestackghsaWEB
- www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.