CVE-2020-26160
Audience Bypass vulnerability in jwt-go (Go)
What is CVE-2020-26160 About?
This vulnerability is an Audience Bypass flaw in JWT processing, where audience verification can be circumvented if the JWT contains an array of strings in its audience claim and MapClaims.VerifyAudience is called with `req` set to false. This allows an invalid set of audiences to be accepted, potentially leading to unauthorized access. Exploitation is relatively easy for an attacker who can control JWT content under specific library configurations.
Affected Software
- github.com/dgrijalva/jwt-go
- >=0.0.0-20150717181359-44718f8a89b0
- >0.0.0-20150717181359-44718f8a89b0, <=3.2.0
- github.com/dgrijalva/jwt-go/v4
- <4.0.0-preview1
Technical Details
The vulnerability arises when a JSON Web Token (JWT) audience claim (aud) is structured as an array of strings, rather than a single string. In environments where MapClaims.VerifyAudience is invoked with the req parameter explicitly set to false, the audience verification logic can be bypassed. The req=false flag means that the audience claim is considered optional. When combined with an array audience claim, this specific configuration leads to a logical flaw where the array content is not properly evaluated against the expected audiences, effectively allowing an invalid audience set to be accepted. An attacker can craft a JWT with a malicious audience array that would otherwise be rejected, thereby bypassing authentication or authorization controls.
What is the Impact of CVE-2020-26160?
Successful exploitation may allow attackers to bypass authentication and authorization checks, gain unauthorized access to resources or functionality, and impersonate legitimate users or services.
What is the Exploitability of CVE-2020-26160?
Exploitation is of medium complexity, requiring an attacker to craft a JWT with a specific audience claim structure (an array of strings). The attacker must also be aware that the target application uses MapClaims.VerifyAudience with the req parameter set to false. This is likely a remote exploitation scenario, requiring no special privileges or prior authentication, assuming the JWT is used for initial access or authorization. The main prerequisite is the ability to provide a JWT to the application. The specific configuration of MapClaims.VerifyAudience is a critical constraint that increases the exploitation likelihood if improperly configured.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26160?
Available Upgrade Options
- github.com/dgrijalva/jwt-go/v4
- <4.0.0-preview1 → Upgrade to 4.0.0-preview1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
- https://osv.dev/vulnerability/GHSA-w73w-5m7g-f7qc
- https://github.com/dgrijalva/jwt-go/issues/462
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
- https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
- https://nvd.nist.gov/vuln/detail/CVE-2020-26160
- https://pkg.go.dev/vuln/GO-2020-0017
- https://github.com/dgrijalva/jwt-go/pull/426
- https://github.com/dgrijalva/jwt-go/issues/422
- https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
What are Similar Vulnerabilities to CVE-2020-26160?
Similar Vulnerabilities: CVE-2020-25638 , CVE-2021-39181 , CVE-2021-38297 , CVE-2022-26147 , CVE-2022-39226
