Branch: refs/heads/3.5
Home: https://github.com/OpenSIPS/opensips
Commit: 5d62ce54f55009bf861cb6349877eb57a0a120b8
https://github.com/OpenSIPS/opensips/commit/5d62ce54f55009bf861cb6349877eb57a0a120b8
Author: pavelkohout396 <[email protected]>
Date: 2026-02-02 (Mon, 02 Feb 2026)
Changed paths:
M modules/auth_jwt/authorize.c
Log Message:
-----------
Fix SQL injection in auth_jwt module via unescaped tag claim (#3807)
The jwt_db_authorize() function...
The jwt_db_authorize() function in the auth_jwt module decodes JWT tokens
without signature verification to extract the 'tag' claim, then interpolates
this claim directly into a raw SQL query without escaping. An attacker can
craft a malicious JWT with SQL injection payload in the tag claim (e.g.,
"' UNION SELECT 'admin','attacker_secret' --") to inject their own secret
into the query result. Since the injected secret is then used to verify the
JWT signature, the attacker can sign their token with this known secret and
achieve authentication bypass.
Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
(cherry picked from commit 3822d33c1c6b25832fdd88da1d23eed74be55b05)
To unsubscribe from these emails, change your notification settings at
https://github.com/OpenSIPS/opensips/settings/notifications
_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
