Vulnerability DatabaseGHSA-88q6-jcjg-hvmw

GHSA-88q6-jcjg-hvmw:
Swift vulnerability analysis and mitigation

Summary

An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting "alg": "none" in the token header. The library's verification functions immediately return true for such tokens without performing any cryptographic verification, enabling complete impersonation of any user and privilege escalation.

Details

The vulnerability exists in Sources/JSONWebSignature/JWS+Verify.swift at lines 34-37:

  public func verify<Key>(key: Key?) throws -> Bool {
      guard SigningAlgorithm.none != protectedHeader.algorithm else {
          return true  // <-- Vulnerability: returns true without verification
      }

When the JWT header contains "alg": "none", the verify() method returns true immediately without:

Checking if the signature is empty or present
Validating the token against any key
Requiring explicit opt-in from the caller The SigningAlgorithm enum in Sources/JSONWebAlgorithms/Signatures/SigningAlgorithm.swift:72 explicitly includes case none = "none" as a valid algorithm.All verification methods are affected:

JWS.verify(key:) - Instance method
JWS.verify(jwsString:payload:key:) - Static method
JWT.verify(jwtString:senderKey:) - High-level API

PoC

Create a forged JWT with modified claims:// Forged header with alg:nonelet header = #"{"alg":"none","typ":"JWT"}"#// Attacker's payload with escalated privilegeslet payload = #"{"sub":"user123","admin":true}"#// Base64URL encode and concatenate with empty signaturelet forgedToken = base64url(header) + "." + base64url(payload) + "."// Result: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyMTIzIiwiYWRtaW4iOnRydWV9.
Verify the forged token passes verification:let jws = try JWS(jwsString: forgedToken)let isValid = try jws.verify(key: legitimateSecretKey) // Returns TRUE

Impact

This is an authentication bypass vulnerability. Who is impacted: Any application using jose-swift for JWT verification is vulnerable. An attacker can:

Forge identity: Create tokens claiming to be any user
Escalate privileges: Add admin/superuser claims to gain unauthorized access
Bypass authentication entirely: Access protected resources without valid credentials
Modify any claim: Change expiration, audience, issuer, or any custom claimsThe attack requires no knowledge of the signing key and works against all signature algorithms (HS256, RS256, ES256, etc.) since the attacker simply bypasses signature verification entirely.

Credits

Reported by Louis Nyffenegger - https://pentesterlab.com/

Source: NVD

Related Swift vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-88q6-jcjg-hvmw	HIGH	8.8	Swift	github.com/beatt83/jose-swift	No	No	Jan 09, 2026
CVE-2026-20613	HIGH	7.8	Swift	container	No	Yes	Jan 23, 2026
GHSA-xvr7-p2c6-j83w	MEDIUM	6.3	Swift	SwiftNIOHPACK	No	Yes	Aug 13, 2025
CVE-2026-23886	MEDIUM	5.3	Swift	github.com/swift-otel/swift-otel	No	Yes	Jan 19, 2026
GHSA-pc9j-5v36-2mww	LOW	3.7	Swift	github.com/awslabs/aws-sdk-swift	No	Yes	Jan 08, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-88q6-jcjg-hvmw: Swift vulnerability analysis and mitigation