Critical JWT Algorithm 'None' Bypass Exposes Admin Login to Token Forgery

A critical security flaw allows attackers to forge valid authentication tokens and bypass JWT security entirely by exploiting a misconfigured server that accepts the 'none' algorithm. The vulnerability, confirmed with 90% confidence and rated a CVSS 9.8, was discovered on the `/admin/login` endpoint, where the server incorrectly validates tokens signed with 'alg: none', effectively skipping all signature verification.

The server's failure to enforce a strict allowlist of accepted signing algorithms is the root cause. When presented with a JWT header specifying `alg: none`, the system processes the token as valid without checking a signature. This means any user can craft a token with arbitrary claims—such as elevated admin status—and gain unauthorized access. A proof-of-concept payload demonstrates the exploit: a simple JWT with the 'none' algorithm triggers a successful HTTP 200 response from the vulnerable endpoint.

This flaw represents a complete breakdown of JWT authentication, categorized under CWE-345 (Insufficient Verification of Data Authenticity). The exposure of an admin login interface significantly raises the risk of full system compromise. While the example uses a localhost address, the underlying vulnerability in JWT library configuration or custom implementation is a widespread pattern that could affect any production environment with similar lax validation, putting sensitive administrative functions and user data at immediate risk.