Algorithm value in the JWT token is found to be set to 'none'

What is the Vulnerability?

This vulnerability arises when a JWT (JSON Web Token) has its alg (algorithm) field set to "none", and the server fails to validate or enforce proper signature verification.

In this case, the token includes no cryptographic signature, yet some improperly configured backends still treat the token as valid. This flaw allows attackers to forge tokens without knowing the secret key or private key.

Best Practices to Prevent JWT 'none' Algorithm Exploits:

• Never Trust the 'alg' Field from the Client:
  Hardcode the expected algorithm (e.g., RS256) on the server-side. Do not choose the algorithm based on the JWT header.


• Use Verified Libraries:
  Always use updated and tested JWT libraries that do not allow alg=none by default. Avoid old or unsupported libraries that still support "none" as an algorithm.


• Disable none Algorithm Explicitly:
  Make sure your JWT decoding library does not allow alg=none or any unsigned tokens.


• Validate Token Signature Strictly:
  Set up your application to reject any unsigned tokens. Ensure that verification checks the token’s signature against the expected algorithm.


• Avoid Weak Server Configurations:
  If using Apache, Nginx, or reverse proxies, make sure there are no misconfigurations that allow bypassing authentication via manipulated JWTs.


• Avoid outdated server versions or libraries such as:
  jsonwebtoken < 8.5.1 (Node.js) - older versions allowed none under some misuses.
  python-jose < 3.2.0 (Python) - fix included in the latest versions.

The alg: none vulnerability is a reminder that security should never rely on user-provided claims. Always verify tokens using trusted cryptographic methods and never trust what's in the header without backend enforcement.