flag.txt
.)jsonwebtoken
3.2.2 is vulnerable to an authentication bypass vulnerability./localization-file
, the JWT token is checked and the language is set according to the token value.__dirname
directory./localization-language
, we are able to control the language
parameter to make the server generate a JWT token with the corresponding language in the language
field./localisation-file
, the server would send us the file at <__dirname>/<language>
. Hence, we are able to read arbitrary files.flag.txt
or key.priv
./localization-language
endpoint, with the JSON data:"language"
parameter to "key"
in the JWT token./localisation-file
to get the key file.jsonwebtoken
to version 3.2.2 to test whether the exploit works.language
parameter to flag.txt
.lion-token
cookie, we can read flag.txt
.