security
data_error
ai_generated
true
JWT kid parameter allows SQL injection when used to fetch public key from database
ID: security/jwt-kid-parameter-sql-injection
90%Fix Rate
88%Confidence
1Evidence
2024-06-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| jsonwebtoken 9.0.0 | active | — | — | — |
| PyJWT 2.8.0 | active | — | — | — |
| jjwt 0.12.3 | active | — | — | — |
| Spring Security 6.2.0 | active | — | — | — |
Root Cause
The JWT header's kid (key ID) parameter is directly concatenated into a SQL query to fetch the verification key, enabling SQL injection if the kid value is maliciously crafted.
generic中文
JWT头部的kid(密钥ID)参数被直接拼接到SQL查询中以获取验证密钥,如果kid值被恶意构造,则允许SQL注入。
Official Documentation
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/Workarounds
-
98% success Use parameterized queries (prepared statements) for fetching the public key. Example in Python with psycopg2: cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))
Use parameterized queries (prepared statements) for fetching the public key. Example in Python with psycopg2: cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],)) -
85% success Validate kid against a whitelist of allowed key IDs before using it in any query.
Validate kid against a whitelist of allowed key IDs before using it in any query.
中文步骤
使用参数化查询(预编译语句)获取公钥。Python中使用psycopg2的示例:cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))在使用kid之前,根据允许的密钥ID白名单进行验证。
Dead Ends
Common approaches that don't work:
-
Validating kid format with regex but still using string concatenation in SQL
70% fail
Regex validation can be bypassed (e.g., with encoded characters); the fundamental issue is parameterized queries not used.
-
Escaping the kid value manually with backslashes or quotes
90% fail
Escaping is error-prone and database-specific; a crafted input can still break out of the string context.