CVE-2024-31033

Vulnerability

Overview

CVE-2024-31033 describes a flaw in the JJWT (Java JWT) library, versions up to 0.12.5, where the setSigningKey() method in DefaultJwtParser and the signWith() method in DefaultJwtBuilder may ignore certain characters when processing HMAC signing keys [1][4]. This behavior can cause a user to incorrectly believe they have configured a strong key, when in fact the effective key used for signing or verification is weaker due to the omitted characters.

Exploitation

Conditions

The vulnerability is triggered only when a user supplies a key string that contains characters that are ignored by the library. The exact set of ignored characters is not publicly detailed, but the issue stems from how the key material is parsed. An attacker would need to know or guess that a target application is using such a key, and then exploit the reduced entropy to forge or verify JWTs. No authentication is required to exploit the weakness once the key is in use, but the attacker must have network access to the token endpoint.

Impact

If successfully exploited, an attacker could craft valid JWTs with arbitrary claims, bypassing authentication or authorization mechanisms that rely on the integrity of the token. The severity is rated Medium (CVSS 6.8) because exploitation depends on a specific user error—using a key with ignored characters—and the attacker must be able to observe or interact with the token system.

Mitigation

Status

The vendor disputes the finding, stating that the described behavior cannot occur unless there is a user error and that the tested version was more than six years old [4]. No official patch has been released. Users are advised to ensure they use strong, randomly generated keys that do not contain any characters that might be ignored, and to upgrade to the latest version of JJWT if available.