v4.5.1
Security
Unclear documentation of the error behavior in ParseWithClaims
in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims
return both error codes. If users only check for the jwt.ErrTokenExpired
using error.Is
, they will ignore the embedded jwt.ErrTokenSignatureInvalid
and thus potentially accept invalid tokens.
This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.
Note: v5
was not affected by this issue. So upgrading to this release version is also recommended.
What's Changed
- Back-ported error-handling logic in
ParseWithClaims
fromv5
branch. This fixes GHSA-29wx-vh33-7x7r.
Full Changelog: v4.5.0...v4.5.1