While working on pkg.pr.new project, I scanned the dependency manifest and found that it uses a vulnerable version of fast-jwt. The scan revealed a JWT algorithm confusion issue where RSA public keys with leading whitespace may be misinterpreted as HMAC secrets, potentially allowing attackers to forge tokens and bypass authentication.
CVE Report
CVE Link
While working on pkg.pr.new project, I scanned the dependency manifest and found that it uses a vulnerable version of
fast-jwt. The scan revealed a JWT algorithm confusion issue where RSA public keys with leading whitespace may be misinterpreted as HMAC secrets, potentially allowing attackers to forge tokens and bypass authentication.CVE Report
CVE Link