# JWT Algorithm Confusion Attack

- ID: python-jwt-algorithm-confusion
- Severity: CRITICAL
- CWE: Improper Signature Verification (CWE-347)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery.

## Remediation

Always specify allowed algorithms explicitly when decoding JWT tokens.

```python
payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
```

Learn more: https://shoulder.dev/learn/python/cwe-347/jwt-algorithm-confusion

## Documentation

[object Object]

## Related Rules

- **FastAPI JWT Security Issues** [HIGH]: 
- **JWT Security Vulnerabilities** [HIGH]: 
- **JWT Decode Without Verification** [HIGH]: