Description
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.
Remediation
References
https://github.com/KANIXB/JWTIssues/blob/main/Certification%20Verification%20issue%20in%20light-oauth2.md
https://github.com/networknt/light-oauth2/issues/369
Related Vulnerabilities
CVE-2020-28423 Vulnerability in npm package monorepo-build
CVE-2023-48967 Vulnerability in maven package org.noear:solon.serialization.fury
CVE-2018-11012 Vulnerability in maven package cc.ryanc:halo
CVE-2023-26115 Vulnerability in npm package word-wrap
CVE-2018-16469 Vulnerability in maven package org.webjars.npm:merge