Zion Boggan
repos/Security Portfolio/jwt-differential-fuzzer/index.html
zionboggan.com ↗
Code Commits Tags
265 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en">
3
<head>
4
<meta charset="utf-8">
5
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6
<title>Schism, JWT Differential Fuzzer | Zion Boggan</title>
7
<meta name="description" content="Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.">
8
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
9
<style>
10
  :root{
11
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
12
    --line:#222936; --line2:#2c3543;
13
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
14
    --accent:#6cc7b8; --accent-dim:#274b47;
15
    --maxw:1020px;
16
  }
17
  *{box-sizing:border-box;}
18
  html{scroll-behavior:smooth;}
19
  body{margin:0;background:var(--bg);color:var(--ink);
20
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
21
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
22
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
23
  a{color:var(--accent);text-decoration:none;}
24
  a:hover{color:#8fe0d2;}
25
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
26
27
  /* nav */
28
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
29
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
30
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
31
  nav .brand{font-weight:600;letter-spacing:.2px;}
32
  nav .brand .dot{color:var(--accent);}
33
  nav .links{display:flex;gap:26px;font-size:13.5px;}
34
  nav .links a{color:var(--muted);}
35
  nav .links a:hover{color:var(--ink);}
36
  @media(max-width:680px){nav .links{display:none;}}
37
38
  /* hero */
39
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
40
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
41
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
42
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
43
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
44
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
45
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
46
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
47
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
48
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
49
  .hero .lede b{color:var(--ink);font-weight:600;}
50
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
51
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
52
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
53
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
54
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
55
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
56
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
57
  .meta .mono{color:var(--faint);}
58
59
  /* sections */
60
  section{padding:64px 0;border-bottom:1px solid var(--line);}
61
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
62
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
63
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
64
  .shead .rule{flex:1;height:1px;background:var(--line);}
65
66
  /* flagship */
67
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
68
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
69
  .flag .top{padding:30px 32px 8px;}
70
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
71
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
72
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
73
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
74
  .flag p{color:var(--soft);margin:0 0 16px;}
75
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
76
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
77
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
78
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
79
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
80
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
81
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
82
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
83
  .spec li:first-child{border-top:none;}
84
  .spec li span{color:var(--muted);}
85
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
86
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
87
88
  /* lab cards */
89
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
90
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
91
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
92
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
93
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
94
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
95
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
96
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
97
  .card h3{margin:0 0 9px;font-size:17px;}
98
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
99
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
100
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
101
    border-radius:5px;padding:3px 8px;}
102
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
103
  .card .lnk::after{content:" →";}
104
105
  /* research */
106
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
107
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
108
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
109
    padding:18px 22px;border-top:1px solid var(--line);}
110
  .ritem:first-child{border-top:none;}
111
  .ritem:hover{background:var(--panel);}
112
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
113
  .ritem h3{margin:0 0 3px;font-size:16px;}
114
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
115
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
116
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
117
  .progs{margin-top:22px;}
118
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
119
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
120
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
121
    border-radius:6px;padding:4px 10px;}
122
123
  /* credentials */
124
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
125
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
126
  .cred p{color:var(--soft);margin:0 0 14px;}
127
  .cred .role{font-size:14px;color:var(--muted);}
128
  .cred .role b{color:var(--ink);font-weight:600;}
129
  .certs{list-style:none;margin:0;padding:0;}
130
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
131
    display:flex;gap:10px;align-items:baseline;}
132
  .certs li:first-child{border-top:none;}
133
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
134
135
  footer{padding:46px 0 64px;}
136
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
137
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
138
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
139
140
  /* detail pages */
141
  .detail-hero{padding:40px 0 28px;}
142
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:22px;font-family:ui-monospace,Menlo,monospace;}
143
  .back:hover{color:var(--ink);}
144
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
145
  .detail-hero h1{font-size:clamp(28px,5vw,42px);margin:0 0 12px;letter-spacing:-.6px;}
146
  .detail-hero .tagline{font-size:clamp(16px,2.2vw,19px);color:var(--soft);max-width:780px;margin:0 0 18px;}
147
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(148px,1fr));gap:12px;margin-top:24px;}
148
  figure{margin:0;}
149
  .shot{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#fff;margin:30px 0 6px;}
150
  .shot img,.shot video{display:block;width:100%;height:auto;}
151
  figcaption{font-size:13px;color:var(--muted);margin:11px 2px 0;}
152
  .content{padding:6px 0 0;}
153
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:44px 0 16px;font-weight:600;border-top:1px solid var(--line);padding-top:30px;}
154
  .content h2.first{border-top:none;padding-top:6px;margin-top:18px;}
155
  .content p{color:var(--soft);margin:0 0 16px;}
156
  .content ul,.content ol{color:var(--soft);margin:0 0 16px;padding-left:22px;}
157
  .content li{margin:6px 0;}
158
  .content strong{color:var(--ink);font-weight:600;}
159
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:13px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
160
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
161
  .content pre code{background:none;border:none;padding:0;font-size:12.5px;color:var(--soft);line-height:1.62;}
162
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.5px;}
163
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
164
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
165
  .content td code{font-size:12px;}
166
  .gallery{margin-top:8px;}
167
  .repo-line{margin:42px 0 0;color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace;}
168
</style>
169
<link rel="canonical" href="https://zionboggan.com/jwt-differential-fuzzer/">
170
<meta name="author" content="Zion Boggan">
171
<meta name="robots" content="index, follow, max-image-preview:large">
172
<meta property="og:type" content="article">
173
<meta property="og:site_name" content="Zion Boggan">
174
<meta property="og:title" content="Schism - JWT Differential Fuzzer | Zion Boggan">
175
<meta property="og:description" content="Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.">
176
<meta property="og:url" content="https://zionboggan.com/jwt-differential-fuzzer/">
177
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
178
<meta name="twitter:card" content="summary_large_image">
179
<meta name="twitter:title" content="Schism - JWT Differential Fuzzer | Zion Boggan">
180
<meta name="twitter:description" content="Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.">
181
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
182
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Schism - JWT Differential Fuzzer","description":"Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.","url":"https://zionboggan.com/jwt-differential-fuzzer/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
183
</head>
184
<body>
185
<nav><div class="wrap">
186
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
187
  <span class="links">
188
    <a href="/#oversight">Oversight</a>
189
    <a href="/#labs">Labs</a>
190
    <a href="/#research">Research</a>
191
    <a href="/#background">Background</a>
192
    <a href="/">Home</a>
193
  </span>
194
</div></nav>
195
<header class="hero detail-hero"><div class="wrap">
196
  <a class="back" href="/#labs">&larr; All work</a>
197
  <div class="kicker">JWT / AUTH</div>
198
  <h1>Schism, JWT Differential Fuzzer</h1>
199
  <p class="tagline">Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.</p>
200
  <div class="tags"><span>JWT</span><span>Differential fuzzing</span><span>Algorithm confusion</span><span>RFC 7515</span><span>RFC 7519</span><span>Coordinated disclosure</span><span>Auth bypass</span></div>
201
  <div class="facts"><div class="stat"><div class="n">5</div><div class="k">JWT libraries differentially tested</div></div><div class="stat"><div class="n">73</div><div class="k">cases in the seed corpus</div></div><div class="stat"><div class="n">13</div><div class="k">bug classes covered</div></div><div class="stat"><div class="n">2</div><div class="k">confirmed bypass advisories (F001, F002)</div></div><div class="stat"><div class="n">3</div><div class="k">sister CVEs anchoring the disclosure</div></div></div>
202
  <div class="cta" style="margin-top:24px"></div>
203
</div></header>
204
<section><div class="wrap">
205
206
  <div class="content">
207
  <h2 class="first">The differential approach</h2>
208
<p>Schism does not decide on its own whether a token is valid. It treats the JWT ecosystem as its own oracle: it submits one corpus case to every running library and flags any case where the libraries do not agree. The orchestrator collapses the responses by the <code>valid</code> field; if the set of accepting verifiers and the set of rejecting verifiers are both non-empty, the case is flagged. An unanimous outcome, even an unanimously wrong one, is not a finding, because no library can be split against another.</p><p>Error wording is bucketed by class rather than compared literally, so the different diagnostic strings each library emits for the same rejection never produce a false positive. Only the boolean verdict matters. Where the corpus carries an <code>expected_unanimous</code> of <code>reject</code> and any library still accepts, the disagreement is labelled BYPASS; the inverse is DOS; anything else is SPLIT. The comparison and labelling logic, verbatim from <code>orchestrator/differ.py</code>:</p><pre><code>def disagreement(results):
209
    verdicts = {n: r.get("valid") for n, r in results.items()}
210
    distinct = set(v for v in verdicts.values() if v is not None)
211
    return len(distinct) > 1
212
213
# ... per flagged case:
214
acceptors = [n for n, v in verdicts.items() if v is True]
215
rejectors = [n for n, v in verdicts.items() if v is False]
216
217
tag = "BYPASS" if (expected == "reject" and acceptors)\
218
      else "DOS"  if (expected == "accept" and rejectors)\
219
      else "SPLIT"</code></pre><p>Transport failures resolve to <code>valid: None</code> and are excluded from the distinct-verdict set, so an unreachable target degrades coverage rather than corrupting a comparison. The run exits non-zero when any case is flagged, which makes the harness usable as a regression gate.</p>
220
<h2>Libraries under test</h2>
221
<p>Five libraries run as v1 targets, each a thin HTTP wrapper over the library's own <code>verify()</code> call inside a minimal Docker container exposing <code>POST /verify</code> on a fixed port. The selection spans three languages and is weighted toward the libraries with the largest downstream blast radius and the longest history of JOSE-layer defects. <code>jose</code> (panva) is the most spec-compliant of the set and is used as the de facto compliance oracle.</p><table><thead><tr><th>ID</th><th>Library</th><th>Language</th><th>Rationale</th></tr></thead><tbody><tr><td><code>nodejwt</code></td><td><code>jsonwebtoken</code> (Auth0)</td><td>Node</td><td>~10M weekly npm downloads</td></tr><tr><td><code>pyjwt</code></td><td><code>PyJWT</code></td><td>Python</td><td>Most-used Python lib; historical alg-confusion CVEs</td></tr><tr><td><code>pyjose</code></td><td><code>python-jose</code></td><td>Python</td><td>Looser parser; CVE-2024-33663 territory</td></tr><tr><td><code>panva</code></td><td><code>jose</code> (panva)</td><td>Node</td><td>Most spec-compliant JS lib; oracle</td></tr><tr><td><code>gojwt</code></td><td><code>golang-jwt/jwt</code> v5</td><td>Go</td><td>Used in Kubernetes, Helm, etc.</td></tr></tbody></table><p>The panva wrapper detects key type by content rather than by declared algorithm, so the library is given the same chance the others get to refuse a mismatched <code>(key, alg)</code> pair, important for not manufacturing alg-confusion divergences that are really wrapper artifacts:</p><pre><code>async function importKey(keyMaterial, algs) {
222
  if (typeof keyMaterial === "string" && keyMaterial.includes("BEGIN")) {
223
    const asymAlgs = algs.filter((a) => /^(RS|PS|ES|Ed)/.test(a));
224
    const tryAlg = asymAlgs[0] || algs[0];
225
    return await jose
226
      .importSPKI(keyMaterial, tryAlg)
227
      .catch(async () => jose.importX509(keyMaterial, tryAlg));
228
  }
229
  if (typeof keyMaterial === "object" && keyMaterial !== null) {
230
    return await jose.importJWK(keyMaterial, algs[0]);
231
  }
232
  return new TextEncoder().encode(keyMaterial);
233
}</code></pre><p>A v2 expansion is planned to add <code>nimbus-jose-jwt</code> (Java), the Rust <code>jsonwebtoken</code>, and <code>lcobucci/jwt</code> (PHP), broadening the cross-language surface where token bytes change hands.</p>
234
<h2>Oracle design and divergence classes</h2>
235
<p>The seed corpus carries 73 cases across 13 bug classes. Three are baseline positive controls (RS256, HS256, ES256 happy paths) whose job is to catch a broken or misconfigured wrapper before any negative case is trusted. The remaining classes target known JWT failure modes, each case tagged with the governing RFC clause or prior CVE:</p><table><thead><tr><th>Class</th><th>Cases</th><th>What it probes</th></tr></thead><tbody><tr><td><code>none-alg</code></td><td>9</td><td><code>alg:none</code> case variants, none, None, NONE, NoNe</td></tr><tr><td><code>alg-confusion</code></td><td>6</td><td>HS256 signed against the RSA public key</td></tr><tr><td><code>crit-header</code></td><td>5</td><td>RFC 7515 §4.1.11 critical-header enforcement</td></tr><tr><td><code>kid-injection</code></td><td>8</td><td>SQL-i and path-traversal patterns in <code>kid</code></td></tr><tr><td><code>key-injection</code></td><td>3</td><td>Embedded <code>jwk</code> / <code>jku</code> self-signed key trust</td></tr><tr><td><code>sig-mutation</code></td><td>8</td><td>Truncated, flipped, and stripped signatures</td></tr><tr><td><code>ecdsa-encoding</code></td><td>3</td><td>ECDSA <code>r</code>/<code>s</code> of zero, n, and n−1</td></tr><tr><td><code>claim-typing</code></td><td>10</td><td><code>exp</code>/<code>nbf</code>/<code>aud</code> type coercion and overflow</td></tr><tr><td><code>header-quirk</code></td><td>7</td><td>Duplicate keys, NUL bytes, BOM, unicode in the header</td></tr><tr><td><code>format</code></td><td>6</td><td>Compact-serialization framing and padding edge cases</td></tr><tr><td><code>allowlist-edge</code></td><td>3</td><td>Algorithm allowlist bypass and empty-allowlist behaviour</td></tr><tr><td><code>b64-detached</code></td><td>2</td><td>RFC 7797 <code>b64=false</code> detached-payload handling</td></tr></tbody></table><p>Each case records its bug-class tag, the inputs, the <code>expected_unanimous</code> outcome that should hold if every library agreed, and a <code>notes</code> pointer to the RFC clause or prior CVE that governs the correct behaviour. The oracle is deliberately conservative: it never asserts the spec-correct answer to a library, only that the libraries must answer in unison. The spec citation is brought in by hand at triage, once a real divergence has been isolated, which is what turns a flagged row into an advisory that can pick a winner.</p>
236
<h2>F001, node-jsonwebtoken: RFC 7515 §4.1.11 crit not enforced</h2>
237
<p><strong>Affected:</strong> <code>jsonwebtoken</code> (npm), <code>auth0/node-jsonwebtoken</code>. <strong>Tested:</strong> 9.0.3 (latest at time of testing). <strong>Class:</strong> spec violation of RFC 7515 §4.1.11 (Critical Header Parameter).</p><p><strong>Root cause.</strong> The library does not implement critical-header processing. RFC 7515 §4.1.11 is explicit: <em>"If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid."</em> A signed JWS whose <code>crit</code> array lists an extension parameter the recipient does not understand MUST be rejected. <code>jsonwebtoken</code> instead accepts such tokens unconditionally whenever the signature is valid for the declared <code>alg</code>. Source confirmation: <code>verify.js</code> on <code>master</code> never references <code>crit</code>, RFC 7515 §4.1.11, RFC 7797, or <code>b64</code>; its verification path validates only <code>alg</code>, <code>nbf</code>, <code>exp</code>, <code>aud</code>, <code>iss</code>, <code>sub</code>, <code>jti</code>, <code>nonce</code>, <code>iat</code>, and <code>maxAge</code>. No code path inspects the <code>crit</code> array.</p><p><strong>How Schism caught it.</strong> Running corpus case <code>crit-crit-eca</code> split the verifiers, <code>panva</code> and <code>PyJWT</code> 2.12.0+ correctly reject the same token <code>jsonwebtoken</code> accepts:</p><pre><code>[schism] 4/5 targets up: ['nodejwt', 'pyjwt', 'pyjose', 'panva']
238
[BYPASS] crit-crit-eca                        sev=bypass-risk  accept=['nodejwt', 'pyjose']  reject=['pyjwt', 'panva']</code></pre><p>Per-library verdict on the case:</p><pre><code>nodejwt 9.0.3  valid=True
239
pyjwt   2.12.0 valid=False  InvalidJWTError: Token has unsupported critical header
240
pyjose  3.3.0  valid=True
241
panva   5.10.0 valid=False  ERR_JOSE_NOT_SUPPORTED: Extension Header Parameter "foobar" is not recognized</code></pre><p><strong>Repro structure (sanitized).</strong> The test case constructs a normally HS256-signed token whose JOSE header additionally carries <code>crit</code> listing an unregistered extension name, with that extension also present in the header:</p><pre><code>header  = { alg: "HS256", typ: "JWT", crit: ["&lt;ext&gt;"], "&lt;ext&gt;": true }
242
claims  = { sub: "alice", iat: ..., exp: ... }
243
token   = sign(header, claims, secret)   // signature is genuinely valid
244
verify(token, secret, { algorithms: ["HS256"] })
245
// observed: ACCEPTED. spec-correct: REJECTED (extension not supported)</code></pre><p><strong>Impact.</strong> The split is exploitable wherever a security-relevant extension is declared critical and the directive is silently dropped by the lenient verifier: RFC 7797 detached payloads (<code>b64=false</code>), RFC 9449 DPoP proof-of-possession binding declared via <code>cnf</code>, and custom application claims (e.g. <code>crit:["x-tenant-pin"]</code>). In a heterogeneous fleet, <code>jsonwebtoken</code> on a backend behind a panva gateway, the split-brain interpretation lets an attacker pass a token the strict hop would have refused.</p>
246
<h2>F002, python-jose: RFC 7515 §4.1.11 crit not enforced</h2>
247
<p><strong>Affected:</strong> <code>python-jose</code> (PyPI), <code>mpdavis/python-jose</code>. <strong>Tested:</strong> 3.3.0 (latest, last released 2022). <strong>Class:</strong> spec violation of RFC 7515 §4.1.11 (Critical Header Parameter).</p><p><strong>Root cause.</strong> The same defect as F001 in a second library. <code>jose/jws.py</code> on <code>master</code> never references <code>crit</code>, RFC 7515 §4.1.11, RFC 7797, or <code>b64</code>; <code>_load()</code> decodes the header JSON without inspecting <code>crit</code>, and <code>_encode_header()</code> passes arbitrary additional headers through with no validation. A signed JWS declaring an unknown critical extension is accepted as long as the signature is otherwise valid.</p><p><strong>Maintenance caveat.</strong> <code>python-jose</code> has had no release since 3.3.0 (2022) and its GitHub advisory page shows zero published advisories, yet it remains widely deployed via transitive dependency chains (FastAPI-adjacent stacks, OAuth2 clients) and is not formally deprecated. A CVE here serves both as user notification and as input for downstream forks.</p><p><strong>Same divergence, same case.</strong> <code>crit-crit-eca</code> produces the identical BYPASS row: <code>accept=[nodejwt, pyjose]</code>, <code>reject=[pyjwt, panva]</code>. The standalone reproducer builds the token directly with the standard library, base64url JOSE header carrying <code>crit:["&lt;ext&gt;"]</code>, base64url claims, and a genuine HMAC-SHA256 signature, then calls <code>jose.jwt.decode(token, secret, algorithms=["HS256"])</code> and observes acceptance where RFC 7515 §4.1.11 requires the decode to raise. No forged signature and no key compromise is involved; the signature is valid by construction and the defect is purely the unenforced critical-header directive.</p><p><strong>Impact.</strong> Identical to F001. Any application relying on <code>crit</code> to enforce a security-relevant extension cannot rely on <code>python-jose</code> to honor it; in deployments where one service uses <code>python-jose</code> and another uses a strict verifier (panva, PyJWT ≥ 2.12.0), the same bytes parse with different guarantees at different hops, the split-brain validation pattern documented in CVE-2025-59420 (Authlib).</p>
248
<h2>Disclosure status</h2>
249
<p>Both findings are the same defect, RFC 7515 §4.1.11 critical-header processing absent, in two libraries that remain unpatched. The defect is not hypothetical: the identical bug class was already disclosed and fixed in three sister libraries, which both confirms the impact and supplies the spec precedent that decides the correct behaviour.</p><table><thead><tr><th>Library</th><th>Advisory</th><th>Fixed</th></tr></thead><tbody><tr><td><code>PyJWT</code></td><td>CVE-2026-32597 / GHSA-752w-5fwx-jx9f</td><td>2.12.0</td></tr><tr><td><code>fast-jwt</code></td><td>CVE-2026-35042</td><td>per advisory</td></tr><tr><td><code>Authlib</code></td><td>CVE-2025-59420 / GHSA-9ggr-2464-2j32</td><td>per advisory, CVSS 7.5</td></tr><tr><td><strong><code>jsonwebtoken</code> (F001)</strong></td><td><strong>none</strong></td><td><strong>unpatched</strong></td></tr><tr><td><strong><code>python-jose</code> (F002)</strong></td><td><strong>none</strong></td><td><strong>unpatched</strong></td></tr></tbody></table><p>Each finding follows responsible-disclosure norms before broadening publication:</p><ol><li>Confirm the disagreement reproduces against the latest released version of each affected library.</li><li>Confirm a spec citation that picks a winner, the RFC mandates X, the library does not implement X.</li><li>File a GitHub Security Advisory at the affected repository.</li><li>Request a CVE via the repository's CNA or MITRE.</li><li>Wait for the upstream patch or embargo expiration before broadening publication.</li></ol><p>F001 was filed via GitHub Security Advisory at <code>auth0/node-jsonwebtoken</code> and F002 at <code>mpdavis/python-jose</code>, both with CVEs requested via MITRE. The suggested remediation in both writeups mirrors panva's contract: parse the header, validate that <code>crit</code> is a non-empty array of strings each present in the header, forbid reserved RFC names from appearing in it, and reject any entry not in a caller-supplied allowlist of supported extensions exposed through the public verify API.</p>
250
  </div>
251
252
  <p class="repo-line">Repository &middot; github.com/zionboggan/jwt-differential-fuzzer</p>
253
</div></section>
254
<footer><div class="wrap row">
255
  <div class="links">
256
    <a href="/">Portfolio</a>
257
    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>
258
    <a href="https://oversightprotocol.dev/">Oversight</a>
259
    <a href="mailto:zionboggan0@gmail.com">Email</a>
260
  </div>
261
  <div class="note">Built and deployed on a self-hosted Proxmox homelab. This page mirrors the
262
  project's documentation and results so the work is fully viewable here.</div>
263
</div></footer>
264
</body>
265
</html>