CVE-2024-51744: 
Docker vulnerability analysis and mitigation

golang-jwt is a Go implementation of JSON Web Tokens. A vulnerability was discovered in versions <= 4.5.0 where unclear documentation of the error behavior in ParseWithClaims can lead to improper error checking. The issue was disclosed on November 4, 2024 and has been assigned CVE-2024-51744 (GitHub Advisory).

The vulnerability stems from how the ParseWithClaims function handles multiple error conditions. When a token is both expired and has an invalid signature, the function returns both error codes. If developers only check for jwt.ErrTokenExpired using error.Is, they will miss the embedded jwt.ErrTokenSignatureInvalid, potentially accepting invalid tokens. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (GitHub Advisory).

If exploited, this vulnerability could lead to acceptance of invalid tokens in applications that don't properly check for all error conditions. This could potentially allow attackers to bypass token validation mechanisms, though the actual impact depends on how the application implements token verification (GitHub Advisory).

The issue has been patched in version 4.5.1 by backporting error handling logic from the v5 branch. The fix makes ParseWithClaims immediately return in 'dangerous' situations like invalid signatures. For users unable to upgrade, the workaround is to properly check for all errors, with 'dangerous' ones checked first. The recommended error checking sequence is: token validity, malformed token, unverifiable token, invalid signature, and finally expiration/activation time (GitHub Advisory).