Jwt None Algorithm in Axum

Scan your API now

How Jwt None Algorithm Manifests in Axum

JSON Web Tokens (JWT) are commonly used for stateless authentication in REST APIs. When a JWT is signed with an algorithm identifier (alg), the verifier expects the token to include a valid cryptographic signature using that algorithm. A "none" algorithm attack exploits a flaw where the verifier treats the alg header value of none as a valid signing algorithm, allowing unauthenticated requests to pass verification if the verifier does not enforce a specific signing algorithm.

In Axum, JWT handling is typically implemented using libraries such as axum-jwt, jsonwebtoken, or jwt-advanced. Attackers often target endpoints that accept JWTs via the Authorization header and may manipulate the alg claim to none to bypass signature validation.

Axum does not natively enforce algorithm validation; this responsibility falls on the JWT verification middleware. If the verification logic reads the alg header or payload claim and conditionally skips signature checks when alg is none, the application becomes vulnerable. Common patterns include:

  • Directly checking jwt.alg without enforcing a whitelist of allowed algorithms.
  • Using a verification function that only checks token structure but ignores the alg field.
  • Allowing tokens with alg: none to pass if the signature is empty or omitted.

These patterns can manifest in Axum route handlers when JWT verification is performed manually or via a custom extractor that does not validate the algorithm. For example, an endpoint may accept any token that parses without throwing an error, regardless of signing method. This is especially dangerous in APIs that rely on JWT for role-based access control (RBAC) or session management.

Because Axum is a low-level, modular framework, developers often implement JWT middleware manually. This flexibility increases the risk of misconfiguration, particularly when security assumptions are not explicitly enforced. The absence of a centralized, opinionated JWT policy means that teams must carefully audit their verification logic to prevent alg: none bypasses.

Attackers can exploit this by sending a JWT with header {

Scan your API now Free API security scan

Related Pages

Axum API SecuritySecurity guide for Axum APIs covering authentication, input validation, error handling, and common pitfalls. Learn to seJwt None Algorithm AttackJWT None Algorithm attacks allow bypassing authentication by forging tokens. Learn how this vulnerability works, how attCWE-1104 in AxumHow CWE-1104 double-free vulnerabilities manifest in Axum applications and specific detection and remediation strategiesCWE-116 in AxumLearn how CWE-116 (Insecure Parsing of Command or Script) affects Axum web applications. Discover detection methods withCWE-113 in AxumLearn how CWE‑113 (HTTP Response Splitting) appears in Axum, how to detect it with middleBrick, and how to fix it using CWE-1039 in AxumLearn how CWE-1039 (ReDoS) appears in Axum, how to detect it via black-box scanning with middleBrick, and how to fix it Hipaa for AxumLearn how HIPAA risks manifest in Axum APIs, including specific IDOR patterns, detection via middleBrick, and Axum-nativGdpr for AxumScan Axum APIs for GDPR compliance gaps. Detect unsecured logging, missing consent, and unsafe data transfers with middlIso 27001 for AxumLearn how ISO 27001 applies to Axum APIs, including detection and remediation of common vulnerabilities using middleBricCis for AxumCis vulnerabilities in Axum stem from unvalidated client input leading to injection attacks. Learn how they manifest, hoAxum in E CommerceLearn how e-commerce security risks like BOLA and property authorization appear in Axum APIs, how middleBrick detects thJwt None Algorithm in Axum (Rust)JWT None Algorithm in Axum with Rust: causes, secure validation code, and remediation using strict algorithm checks.