# JWT Decode Without Verification

- ID: javascript-jwt-decode-without-verify
- Severity: HIGH
- CWE: Improper Signature Verification (CWE-347)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects use of jwt.decode() without proper verification, leading to authentication bypass.

jwt.decode() decodes a JWT token WITHOUT verifying its signature. This means an attacker
can create a token with any payload they want, and the application will trust it.

Common mistakes:
- Using jwt.decode() instead of jwt.verify()
- Decoding token for inspection then trusting the payload
- Using decoded payload for authorization decisions

The decoded payload should NEVER be trusted for security decisions without verification.

## Detection Message

JWT decoded without verification at {sink}.
Token from {source} is decoded but signature is not verified.
Attackers can forge tokens with arbitrary payloads, bypassing authentication.

## Remediation

Use jwt.verify() instead of jwt.decode() to validate the signature:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-347/jwt-decode-without-verify

## Documentation

[object Object]

## Related Rules

- **FastAPI JWT Security Issues** [HIGH]: 
- **JWT Security Vulnerabilities** [HIGH]: 
- **JWT Algorithm Confusion Attack** [CRITICAL]: