VDB
KO
MEDIUM

GHSA-29fc-p6c4-24cg

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Details

### Description

`OidcTokenHandler` is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the `web-token/jwt-checker` library's `ClaimCheckerManager`.

`OidcTokenHandler::verifyClaims()` registers audience (`aud`), issuer (`iss`), and expiry (`exp`) checkers, but never passes the `$mandatoryClaims` argument to `ClaimCheckerManager::check()`. That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply **omits** `aud`, `iss`, and `exp` therefore passes verification.

### Resolution

The `OidcTokenHandler` now calls the `ClaimCheckerManager` with the list of mandatory claims so that tokens missing `aud`, `iss`, or `exp` are rejected.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d) for branch 6.4.

### Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / symfony/security-http
Introduced in: 6.3.0 Fixed in: 6.4.40
Fix composer require symfony/security-http:^6.4.40
Packagist / symfony/security-http
Introduced in: 7.4.0 Fixed in: 7.4.12
Fix composer require symfony/security-http:^7.4.12
Packagist / symfony/security-http
Introduced in: 8.0.0 Fixed in: 8.0.12
Fix composer require symfony/security-http:^8.0.12
Packagist / symfony/symfony
Introduced in: 6.3.0 Fixed in: 6.4.40
Fix composer require symfony/symfony:^6.4.40
Packagist / symfony/symfony
Introduced in: 7.4.0 Fixed in: 7.4.12
Fix composer require symfony/symfony:^7.4.12
Packagist / symfony/symfony
Introduced in: 8.0.0 Fixed in: 8.0.12
Fix composer require symfony/symfony:^8.0.12

References