CVE-2018-1000531

HIGH

prime-jwt < 1.3.0 - JWT Signature Validation Bypass via 'none' Algorithm

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-1000531. PoCs published by realbatuhan, dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a Python-based JWT bruteforcer that tests for CVE-2018-1000531, an algorithm confusion vulnerability allowing authentication bypass by setting the 'alg' header to 'none'. It also includes a brute-force component for cracking JWT secrets.

Description

inversoft prime-jwt version prior to commit abb0d479389a2509f939452a6767dc424bb5e6ba contains a CWE-20 vulnerability in JWTDecoder.decode that can result in an incorrect signature validation of a JWT token. This attack can be exploitable when an attacker crafts a JWT token with a valid header using 'none' as algorithm and a body to requests it be validated. This vulnerability was fixed after commit abb0d479389a2509f939452a6767dc424bb5e6ba.

Exploits (3)

nomisec WORKING POC 1 stars
by realbatuhan · poc
https://github.com/realbatuhan/JWT-Bruteforcer

This repository contains a Python-based JWT bruteforcer that tests for CVE-2018-1000531, an algorithm confusion vulnerability allowing authentication bypass by setting the 'alg' header to 'none'. It also includes a brute-force component for cracking JWT secrets.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: JWT libraries (e.g., PyJWT) with improper algorithm validation
No auth needed
Prerequisites: A valid JWT token · A wordlist for brute-forcing (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1000531-prime-jwt-vulnerable

This repository contains a vulnerable version of the Prime JWT library (1.3.0) that demonstrates CVE-2018-1000531, an authentication bypass vulnerability due to improper handling of the 'none' algorithm in JWT verification. The code includes functional JWT encoding/decoding logic, including support for HMAC and RSA signing, but lacks proper validation for unsecured tokens.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Prime JWT 1.3.0
No auth needed
Prerequisites: A vulnerable Prime JWT library (1.3.0) in the target application · Ability to send crafted JWT tokens to the target
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1000531-prime-jwt-vulnerable

This repository contains a vulnerable version of the Prime JWT library (1.3.0) that demonstrates CVE-2018-1000531, an authentication bypass vulnerability due to improper handling of the 'none' algorithm in JWT verification. The code includes functional JWT encoding/decoding logic, including support for HMAC and RSA signing, but lacks proper validation for unsecured tokens.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Prime JWT 1.3.0
No auth needed
Prerequisites: Access to a system using Prime JWT 1.3.0 for JWT verification
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/inversoft/prime-jwt/issues/3

Scores

CVSS v3 7.5
EPSS 0.0162
EPSS Percentile 72.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (1)
inversoft/prime-jwt < 1.3.0
Published Jun 26, 2018
Tracked Since Feb 18, 2026