jsonwebtoken3.2.2 is vulnerable to an authentication bypass vulnerability.
/localization-file, the JWT token is checked and the language is set according to the token value.
/localization-language, we are able to control the
languageparameter to make the server generate a JWT token with the corresponding language in the
/localisation-file, the server would send us the file at
<__dirname>/<language>. Hence, we are able to read arbitrary files.
/localization-languageendpoint, with the JSON data:
"key"in the JWT token.
/localisation-fileto get the key file.
jsonwebtokento version 3.2.2 to test whether the exploit works.
lion-tokencookie, we can read