JSON Web Token Signature Bypass via kid Path Traversal

high Web App Scanning Plugin ID 115300

Synopsis

JSON Web Token Signature Bypass via kid Path Traversal

Description

JSON Web Tokens can be signed to protect against data tampering. The 'kid' (Key ID) header parameter is sometimes used by applications as a path to a file whose content is used as the key to verify the token signature.

When the 'kid' value is not validated, an attacker can use path traversal to point it to a predictable file with known content, such as an empty file (/dev/null). The attacker can then sign a forged token with the corresponding key (an empty key for an empty file), which will be accepted by the application.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

Ensure that the application validates every JSON Web Token against a trusted key it controls. Header parameters that influence key resolution (kid, jwk, jku, x5u, x5c) must never be trusted as-is: pin verification to a known key or a strict allow-list, reject tokens whose header selects an unexpected key, and sanitize any value used to look up or load a key.

See Also

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://portswigger.net/web-security/jwt

https://research.securitum.com/jwt-json-web-token-security/

Plugin Details

Severity: High

ID: 115300

Type: Check Based

Published: 7/17/2026

Updated: 7/17/2026

Scan Template: api, basic, full, mcp, pci, scan

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information