JWT Algorithm Confusion
Authentication bypass by switching from asymmetric to symmetric algorithm
Severity CVSS
CRITICAL 9.8
Exploitation Shoulder
No known exploits
Fix available
No patch yet
Should I care?
This matters if:
- Apps processing complex user input (files, forms, APIs)
- Endpoints without schema validation
Not relevant if:
- All inputs are validated against schemas
- You use strict type checking at boundaries
How to fix
How it breaks apps
1
Malformed input reaches parser
2
Validation is missing or weak
3
Unexpected behavior triggered
4
Crash, bypass, or code execution
Affected packages
npm
jsonwebtoken
Is this in your code?
Shoulder scans your codebase and tells you if CVE-2015-9235 is reachable — not just present.
npx @shoulderdev/cli trust .
Technical details
Risk by Environment
Production (public-facing)
HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging
MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services
MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only
LOW
Minimal risk in isolated dev environments.
AI Development Risk
This vulnerability pattern is commonly introduced when AI generates code.
CWE-20
Improper input validation
LLMs routinely skip input validation, trusting that callers will provide well-formed data.
Detection Rules 17 rules
CWE-20
13 rules
Improper Input Validation
FastAPI Missing Request Validation
Business Logic Input Validation
Echo Missing Input Validation
CWE-327
4 rules
Use of a Broken or Risky Cryptographic Algorithm
Use of Weak Cryptographic Algorithm
JWT Algorithm Confusion Attack
Use of Weak Cryptographic Algorithm