# JWT Algorithm Confusion Attack

- ID: javascript-jwt-algorithm-confusion
- Severity: HIGH
- CWE: Broken Cryptographic Algorithm (CWE-327)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects JWT verification without explicit algorithm specification, allowing "none" algorithm attacks that bypass authentication.

## Detection Message

jwt.verify() without algorithm specification allows 'none' algorithm attack

## Remediation

Always specify allowed algorithms when verifying JWT tokens.
Example: jwt.verify(token, secret, { algorithms: ['RS256'] })

## Documentation

[object Object]

## Related Rules

- **Use of Weak Cryptographic Algorithm** [HIGH]: 
- **Use of Weak Cryptographic Algorithm** [HIGH]: 
- **Weak Cryptographic Algorithm** [MEDIUM]: