Branch: refs/heads/3.6
Home: https://github.com/OpenSIPS/opensips
Commit: 2ce53bf26ea2a37032f61db9c8d2a671ab969b22
https://github.com/OpenSIPS/opensips/commit/2ce53bf26ea2a37032f61db9c8d2a671ab969b22
Author: pavelkohout396 <[email protected]>
Date: 2026-02-02 (Mon, 02 Feb 2026)
Changed paths:
M modules/auth_jwt/authorize.c
Log Message:
-----------
Fix SQL injection in auth_jwt module via unescaped tag claim (#3807)
The jwt_db_authorize() function...
The jwt_db_authorize() function in the auth_jwt module decodes JWT tokens
without signature verification to extract the 'tag' claim, then interpolates
this claim directly into a raw SQL query without escaping. An attacker can
craft a malicious JWT with SQL injection payload in the tag claim (e.g.,
"' UNION SELECT 'admin','attacker_secret' --") to inject their own secret
into the query result. Since the injected secret is then used to verify the
JWT signature, the attacker can sign their token with this known secret and
achieve authentication bypass.
Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
(cherry picked from commit 3822d33c1c6b25832fdd88da1d23eed74be55b05)
To unsubscribe from these emails, change your notification settings at
https://github.com/OpenSIPS/opensips/settings/notifications
_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
