{
  "id": "security/jwt-kid-parameter-sql-injection",
  "signature": "JWT kid parameter allows SQL injection when used to fetch public key from database",
  "signature_zh": "JWT的kid参数在用于从数据库获取公钥时允许SQL注入",
  "regex": "kid.*SQL injection|JWT.*unsafe query|kid.*concatenation",
  "domain": "security",
  "category": "data_error",
  "subcategory": null,
  "root_cause": "The JWT header's kid (key ID) parameter is directly concatenated into a SQL query to fetch the verification key, enabling SQL injection if the kid value is maliciously crafted.",
  "root_cause_type": "generic",
  "root_cause_zh": "JWT头部的kid（密钥ID）参数被直接拼接到SQL查询中以获取验证密钥，如果kid值被恶意构造，则允许SQL注入。",
  "versions": [
    {
      "version": "jsonwebtoken 9.0.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "PyJWT 2.8.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "jjwt 0.12.3",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Spring Security 6.2.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Validating kid format with regex but still using string concatenation in SQL",
      "why_fails": "Regex validation can be bypassed (e.g., with encoded characters); the fundamental issue is parameterized queries not used.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "Escaping the kid value manually with backslashes or quotes",
      "why_fails": "Escaping is error-prone and database-specific; a crafted input can still break out of the string context.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Use parameterized queries (prepared statements) for fetching the public key. Example in Python with psycopg2: cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))",
      "success_rate": 0.98,
      "how": "Use parameterized queries (prepared statements) for fetching the public key. Example in Python with psycopg2: cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))",
      "condition": "",
      "sources": []
    },
    {
      "action": "Validate kid against a whitelist of allowed key IDs before using it in any query.",
      "success_rate": 0.85,
      "how": "Validate kid against a whitelist of allowed key IDs before using it in any query.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "使用参数化查询（预编译语句）获取公钥。Python中使用psycopg2的示例：cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))",
    "在使用kid之前，根据允许的密钥ID白名单进行验证。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.9,
  "resolvable": "true",
  "first_seen": "2024-06-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}