l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.
The memcmp function stops comparing bytes upon encountering the first difference, so its execution time depends on the number of matching bytes. An attacker can measure server response times during successive authentication attempts to systematically guess subsequent bytes of the correct JWT token or signature. This type of statistical attack (timing side channel) enables effective verification mechanism bypass without knowledge of the cryptographic secret.
An attacker can bypass JWT-based authentication verification and gain unauthorized access to resources protected by the library, potentially leading to complete application takeover (breach of confidentiality, integrity, and availability).
Patches available from the vendor should be applied according to the references. It is recommended to replace the memcmp function with a constant-time comparison implementation, e.g., using dedicated cryptographic functions resistant to timing attacks.
GlitchedPolygons l8w8jwt version 2.2.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGlitchedpolygons L8w8jwt
APPGlitchedpolygons2.2.1