# JWT Security Vulnerabilities

- ID: go-jwt-vulnerabilities
- Severity: HIGH
- CWE: Improper Signature Verification (CWE-347)
- Languages: Go

## Description

JWT allows "none" algorithm, uses weak secret, or lacks expiration.

## Detection Message

JWT implementation has security weaknesses

## Remediation

Validate algorithm explicitly and set token expiration.

```go
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        return nil, fmt.Errorf("unexpected method: %v", token.Header["alg"])
    }
    return []byte(os.Getenv("JWT_SECRET")), nil
})
```

Learn more: https://shoulder.dev/learn/go/cwe-347/jwt-vulnerabilities

## Documentation

[object Object]

## Related Rules

- **FastAPI JWT Security Issues** [HIGH]: 
- **JWT Decode Without Verification** [HIGH]: 
- **JWT Algorithm Confusion Attack** [CRITICAL]: