Critical JWT Algorithm Confusion Exposed: Attackers Can Forge Admin Tokens by Switching RS256 to HS256

A critical security flaw allows attackers to forge valid administrative access tokens by exploiting a JWT algorithm confusion vulnerability. The server, which expects tokens signed with the RS256 algorithm, fails to enforce this, accepting tokens that declare the HS256 algorithm instead. This enables an attacker to sign malicious tokens using the server's own public RSA key as the HMAC secret, effectively bypassing authentication controls on the `/admin/login` endpoint.

The vulnerability, classified as Critical with a CVSS score of 9.1, stems from a misconfigured JWT verification library. Proof of the exploit shows that sending a GET request to `http://localhost:3000/admin/login` with a JWT where the algorithm is manually changed from 'RS256' to 'HS256'—even with an empty signature—returns an HTTP 200 success code. This indicates the server's verification logic is using the provided RSA public key bytes as the HMAC secret for validation, a classic algorithm confusion attack vector.

This flaw represents a severe authentication bypass, granting unauthorized access to administrative functions. The root cause is identified as the server's failure to explicitly validate the expected signing algorithm during the JWT verification process. To remediate, developers must enforce a strict algorithm check, ensuring the JWT library only accepts tokens signed with the intended RS256 method and rejects any token with a mismatched 'alg' header.