Skip to main content
Application Security Standards
JWT Package Left Projects Exposed for MonthsIncident
3 min readFor Security Engineers

JWT Package Left Projects Exposed for Months

A vulnerability fix in a widely-used Golang JWT package was never merged into the version most developers used. This oversight left projects exposed to authentication bypass, despite the existence of a patch. This highlights a critical issue in version management of open-source dependencies, which can leave your systems vulnerable even when a fix is available.

What Happened

The Golang JWT package had a vulnerability allowing attackers to bypass audience verification. The audience claim (aud) in JWT tokens specifies which services should accept the token. The flaw enabled attackers to use tokens with unauthorized services.

Although a fix was committed, it was not merged into the master branch. Developers relying on master—a common practice before strict version pinning—continued to use vulnerable code. Their authentication checks seemed functional, but audience restrictions failed silently.

Snyk's research team discovered the issue while analyzing Golang vulnerabilities. They assigned a CVE and disclosed it publicly, alerting many teams to the authentication bypass in their code.

Timeline

  • Initial vulnerability introduction: Unknown
  • Fix committed: Patch written and committed to a branch
  • Fix NOT merged to master: Master branch remained vulnerable
  • Snyk discovery: Issue identified during ecosystem analysis
  • CVE assignment: Vulnerability formally tracked and disclosed
  • Public disclosure: Teams learned of the issue via CVE feeds or Snyk's database

The delay between the fix and team awareness left projects vulnerable for months, as they continued to pull from the master branch.

Which Controls Failed

  • Dependency version pinning: Relying on branch names instead of tagged releases meant teams couldn't distinguish between vulnerable and patched code. Using master in your go.mod file fetches the current state, not the most secure version.
  • Vulnerability scanning in CI/CD: Static analysis tools could catch this only after the CVE was assigned. The time between the fix and disclosure left teams exposed.
  • Maintainer release process: Without a documented release cadence or security patch communication, developers couldn't know a fix existed unless they reviewed commit history.
  • Authentication testing: Unit tests didn't verify audience claims specifically, allowing the vulnerability to persist undetected.

What Standards Require

  • PCI DSS v4.0.1 Requirement 6.3.2 mandates identifying vulnerabilities using industry-recognized sources and reviewing custom software for vulnerabilities.
  • OWASP ASVS v4.0.3 Section 3.5.3 requires enforcing audience restrictions on authentication tokens.
  • NIST 800-53 Rev 5 Control SA-11 requires verifying third-party components meet security requirements.
  • ISO/IEC 27001:2022 Annex A.8.31 requires separating development, testing, and production environments and reviewing code before deployment.

Lessons and Action Items

  • Pin every dependency to a semantic version tag. Avoid using master, main, or latest in production files. Use specific version tags in your go.mod:

    // Don't do this
require github.com/example/jwt master

// Do this
require github.com/example/jwt v1.2.3

  • Implement comprehensive dependency scanning. Use tools that check both CVEs and commit history. Run scans on every pull request.

  • Write authentication tests that verify each claim. Ensure your test suite checks for audience validation:

    func TestAudienceRestriction(t *testing.T) {
    token := issueTokenForServiceA()
    err := serviceBValidator.Validate(token)
    if err == nil {
        t.Error("Token for Service A was accepted by Service B")
    }
}

  • Monitor dependencies' release practices. Check for tagged releases, a SECURITY.md file, regular maintenance, and security patches.

  • Create an internal registry of approved package versions. This allows for centralized updates and faster propagation of fixes.

  • Set up alerts for new CVEs in your dependency tree. Use tools like GitHub's Dependabot and Snyk to notify you of vulnerabilities and automate patch updates.

The JWT vulnerability underscores that having a fix is not enough—proper version management is essential to ensure your systems are protected. When version control fails, every authentication check in your codebase becomes suspect.

Topics:Incident

You Might Also Like

NGINX RCE: Two Critical Flaws Patched
5 min readFor Security Engineers

NGINX RCE: Two Critical Flaws Patched

F5 disclosed two critical remote code execution vulnerabilities in NGINX Open Source on January 14, 2025. Both CVE-2026-42530 and CVE-2026-42055 carry CVSS v4 scores of 9.2. If your team is running NG

Read
AI Guardrails Turned Into DoS Weapons: What Failed
4 min readFor CISOs

AI Guardrails Turned Into DoS Weapons: What Failed

What Happened Researchers at Hong Kong University of Science and Technology have discovered a denial-of-service attack that exploits AI agent safety systems. This attack, known as reasoning-extension

Read
Splunk Enterprise RCE: When Your SIEM Becomes the Attack Vector
4 min readFor Security Engineers

Splunk Enterprise RCE: When Your SIEM Becomes the Attack Vector

Your security information and event management (SIEM) platform should detect intrusions, not enable them. However, in June 2026, organizations running unpatched Splunk Enterprise found themselves in a

Read