Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure
Vulnerability Summary
| Field |
Value |
| Title |
Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure |
| Component |
lemur/lemur/auth/service.py:130-137 |
| CWE |
CWE-347 (Improper Verification of Cryptographic Signature) |
| Attack Prerequisite |
Defense-in-depth gap on its own — no single-request exploit against PyJWT 2.x. Single-request ATO requires a separate disclosure issue that leaks LEMUR_TOKEN_SECRET, or a future migration to asymmetric signing without fixing this sink. |
| Affected Versions |
github.com/Netflix/lemur version = "1.9.0". Same code present in every prior release that has the auth/service.py:130 block. |
Executive Summary
The Lemur JWT verifier reads the alg header field from the unverified token and passes it straight into pyjwt.decode(..., algorithms=[header['alg']]). This is a classic JWT antipattern: the server is supposed to pin the algorithm, not the attacker. PyJWT 2.x's default config rejects alg=none, so this is not a single-request ATO today — I want to be precise about that. The bug is a hardening gap with two real consequences. First, if the deployment ever migrates to asymmetric signing (RS256/ES256), an attacker can pin alg=HS256 and forge tokens using the public key as the HMAC secret — the legacy "RS256→HS256 confusion" trick. Second, the audit-log surface that records alg to flag anomalous tokens is filled in from the attacker's header, so anomaly detection is blinded. I'm submitting this honestly at MEDIUM 4.8 (defense-in-depth) rather than inflating it; the chain to single-request ATO is documented but it depends on a separate disclosure bug.
Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a
Description
lemur/lemur/auth/service.py:130-137:
try:
header_data = fetch_token_header(token)
payload = decode_with_multiple_secrets(
token, token_secrets, algorithms=[header_data["alg"]]
)
except jwt.DecodeError:
return dict(message="Token is invalid"), 403
fetch_token_header decodes the JWT's first segment (base64-decoded JSON, no signature check) and returns the header object. header_data["alg"] is whatever the bearer of the token put there. That value is then handed to decode_with_multiple_secrets, which calls pyjwt.decode(..., algorithms=[<attacker_value>]). The algorithms parameter is meant to be the server's pinned allowlist of acceptable signing algorithms — the line that says "I will accept HS256 and nothing else". By reading it from the token, Lemur asks the attacker which algorithm to trust.
Why this is MEDIUM and not CRITICAL today: PyJWT 2.x's decode() rejects alg=none regardless of the algorithms parameter (PyJWT enforces this in jwt.algorithms.NoneAlgorithm.verify). I confirmed this in the lab — a forged alg=none token comes back as HTTP 403 {"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}. The classic single-request alg=none ATO is closed by the library, not by Lemur.
Why this still matters:
- Algorithm confusion is exactly what
algorithms= is supposed to prevent. The widely-cited "RS256→HS256 confusion" attack works by pinning alg=HS256 and using the RS256 public key as the HMAC secret. The fix everyone teaches for that attack is "server pins the algorithm". Lemur doesn't, so the protection has a hole the moment the deployment moves to asymmetric signing.
- The PyJWT 2.x mitigation is a library default, not a Lemur design choice. A future PyJWT major that loosens the
none check, or a downgrade to a vulnerable PyJWT for any reason, re-opens single-request ATO. Defense-in-depth means not relying on library defaults to backstop the framework's own validation.
- Audit blindness. Logging tooling that consumes
alg to detect "this token claims an algorithm we don't issue" sees only what the attacker put in the header. A real HS256 token forged by an attacker who pins alg=ES256 (or any garbage that survives decode) bypasses naive alg-based anomaly heuristics.
- The chain to single-request ATO is short. Any separate disclosure issue that leaks
LEMUR_TOKEN_SECRET (a debug page, an unguarded /metrics, an SSRF-to-config, an S3 backup leak, a git history accident) immediately turns into HS256 forgery — and the alg-from-header sink leaves the verifier downgradeable even after an operator migrates to RS256 later.
I'm framing this as a hardening defect at MEDIUM 4.8 because that's what the evidence supports. The chain step (config disclosure → forge admin) is demonstrated in the lab as a clear "what happens if this chain links" walk-through, not as a primary claim.
Proof of Concept & Steps to Reproduce
Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a. Offline cast: lemur_jwt_alg_hardening.cast. Harness: lemur_jwt_alg_hardening/support/ (lemur_jwt_mock.py mirrors lemur/auth/service.py:130-137 line-for-line).
Prerequisites: Docker, curl, jq, python3 with PyJWT.
Run
cd lemur_jwt_alg_hardening/
EXPLOIT_FAST=1 ./exploit_code.sh
Step 1 — Baseline legitimate login
curl -sS -X POST http://127.0.0.1:18001/api/1/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"operator@netflix.example"}'
Response (evidence/03_login_response.json):
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....",
"user":{"active":true,"email":"operator@netflix.example","id":1,"role":"operator"}}
/api/1/users/me with that token returns 200 — baseline auth path works.
Step 2 — Confirm the antipattern in source
docker exec lemur-jwt-alg-hardening-harness cat /app/evidence-src/jwt_sink.txt
Output is the verbatim Lemur block:
# lemur/lemur/auth/service.py:130-137
try:
header_data = fetch_token_header(token)
payload = decode_with_multiple_secrets(
token, token_secrets, algorithms=[header_data["alg"]] # <-- antipattern
)
except jwt.DecodeError:
return dict(message="Token is invalid"), 403
The mock applies the same code path. No transformation, no allowlist, no server pin.
Step 3 — Forge alg=none (PyJWT 2.x rejects)
curl -sS -o /dev/null -w 'HTTP %{http_code}
' \
http://127.0.0.1:18001/api/1/users/me \
-H 'Authorization: Bearer eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0.eyJzdWIiOiAyLCAiZW1haWwiOiAiYWRtaW5AbmV0ZmxpeC5leGFtcGxlIn0.'
Response (evidence/05_alg_none_attempt.json): HTTP 403. Body: {"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}.
This is honest: PyJWT 2.x closes the single-request alg=none path. The antipattern is not directly exploitable at this PyJWT version.
Step 4 — Chain demo: config disclosure → HS256 forgery
The lab simulates an upstream disclosure issue by docker exec-ing into the container and reading /app/lemur.conf.py. In production this corresponds to any of: a /metrics page that echoes config, a debug error that prints current_app.config, an SSRF that reaches file:///app/lemur.conf.py, a misindexed git history, an S3 backup with the config file. The lab does not invent a separate vulnerability — it documents what happens when one of those exists.
docker exec lemur-jwt-alg-hardening-harness cat /app/lemur.conf.py
# LEMUR_TOKEN_SECRET = 'lab-deploy-token-secret-DO-NOT-USE-IN-PROD-aabbccdd11'
Forge an admin JWT with the leaked secret:
python3 -c "import jwt; print(jwt.encode({'sub':2,'email':'admin@netflix.example'}, '<leaked>', algorithm='HS256'))"
# eyJhbGciOiJIUzI1NiIs...
Send it:
curl -sS http://127.0.0.1:18001/api/1/users/me \
-H "Authorization: Bearer $FORGED_ADMIN"
Response (evidence/06_forged_admin_response.json):
{"payload":{"email":"admin@netflix.example","sub":2},
"user":{"active":true,"email":"admin@netflix.example","id":2,"role":"admin"}}
HTTP 200, role=admin. The forgery succeeds because (a) the attacker picked alg=HS256, (b) the server didn't pin its own algorithm, and (c) the secret was disclosed by the separate upstream issue. If the alg-from-header sink were fixed, even a leaked HS256 secret would not extend to whatever asymmetric algorithm the operator migrates to next — the attacker would have to also break the asymmetric key.
Step 5 — Verdict
VERDICT: ANTIPATTERN CONFIRMED — chain-dependent ATO
1. lemur/auth/service.py:130-137 passes attacker-controlled alg into decode()
2. PyJWT 2.x rejects alg=none, so the antipattern is NOT directly exploitable
3. Chained with upstream config disclosure → HS256 forgery wins
Exploit Code & Lab Set-up
Lemur-jwt-alg-hardening.zip
Root Cause Analysis
The pattern in auth/service.py:130-137 is what every JWT-library author warns against. pyjwt.decode's algorithms parameter exists precisely to pin the server's accepted set; the documentation calls out that callers should never pass the value from the token header. The author of this block likely intended to support multiple deployment configurations (some on HS256, some on RS256) and dispatched on the token's claimed algorithm — but the right way to do that is algorithms=current_app.config["JWT_ACCEPTED_ALGS"] (a server-pinned list), not algorithms=[header_data["alg"]] (the attacker's preference).
The PyJWT 2.x mitigation is the only thing standing between this code and a single-request alg=none ATO. That mitigation lives in PyJWT's NoneAlgorithm.verify, which raises InvalidKeyError when alg=none is supplied with a non-None key. Lemur passes a real key, so the path raises and Lemur catches it as jwt.DecodeError and returns 403. Good — but the protection is in the dependency, not in Lemur's code. A PyJWT-1.x backport, an accidental downgrade, or a future PyJWT behaviour change re-opens the door.
The RS256→HS256 confusion variant is the more durable concern. If an operator migrates Lemur from HS256 to RS256 — a normal hardening step — the attacker pins alg=HS256 in the header and uses the RS256 public key as the HMAC secret. PyJWT 2.x's decode_complete does call _verify_signature with the supplied algorithm, and if the algorithm is HS256 and the "secret" is the bytes of the RS256 public key, the verifier passes. The fix is a server-pinned algorithm list; if the server only accepts ["RS256"], an attacker-supplied alg=HS256 token fails at the algorithms check before any key material is consulted.
The MEDIUM 4.8 score honestly reflects what's exploitable today: the antipattern is real, the impact today is limited to (a) audit-log blinding and (b) a downgrade primitive that activates under separate conditions. I'm explicitly not claiming RS256→HS256 against current Lemur because Lemur today is HS256 — the "RS256 → HS256" trick doesn't apply because Lemur's secret arg is HMAC bytes, not an RSA pubkey. The fix is still worth making.
Attack Scenario
sequenceDiagram
participant Attacker
participant Lemur as Lemur API
participant Disclosure as Disclosure surface
participant Audit as Audit logging
Note over Attacker,Lemur: "Today: PyJWT 2.x mitigation holds for alg=none"
Attacker->>Lemur: "Bearer alg=none token with [payload]"
Lemur->>Lemur: "pyjwt.decode raises (alg=none + non-None key)"
Lemur-->>Attacker: "403 Forbidden"
Note over Disclosure,Lemur: "Chain step: separate disclosure leaks LEMUR_TOKEN_SECRET"
Attacker->>Disclosure: "trigger debug / SSRF / backup leak"
Disclosure-->>Attacker: "LEMUR_TOKEN_SECRET value"
Note over Attacker,Lemur: "Forge HS256 admin token with leaked secret"
Attacker->>Lemur: "Bearer alg=HS256 admin token signed with leaked secret"
Lemur->>Lemur: "algorithms=[HS256] (taken from header) — accepted"
Lemur-->>Attacker: "200 OK, role=admin"
Note over Audit: "alg=HS256 in audit log - no anomaly flag because attacker picks alg"
Impact Assessment
Today, in a fully-patched Lemur 1.9.0 on PyJWT 2.x, the standalone impact is C:L (audit-log surface is attacker-influenced) / I:L (an attacker who controls alg can downgrade a future verifier upgrade) / A:N. The vector requires no user interaction — the attacker just sends a crafted token directly — but AC:H reflects the real-world conditions that have to align (PyJWT version, future migration to asymmetric signing, or a separate disclosure issue) before standalone impact materializes. That's the 4.8 MEDIUM score. The chain step to single-request ATO depends on a separate disclosure issue, which I'm not claiming as part of this report.
The reason this is worth fixing now rather than later is that it's a one-line change with no behavioural risk, and the consequence of leaving it in place is a permanent downgrade vector against any algorithm migration Netflix later decides to do. Lemur's role in the certificate-signing pipeline makes its session tokens unusually high-value — anyone who forges a Lemur admin JWT can issue, revoke, and exfiltrate certificates across the org. The Lemur PKI compromise report submitted separately (ACME acme_url SSRF + creator IDOR) shows what an admin Lemur identity can do in practice.
If Lemur ever moves to asymmetric signing without fixing this sink, the score moves to CRITICAL on the same day. Fix it now.
Remediation
One-line server pin:
# lemur/lemur/auth/service.py:130-137
allowed_algs = current_app.config.get("JWT_ALGORITHMS", ["HS256"])
try:
payload = decode_with_multiple_secrets(
token, token_secrets, algorithms=allowed_algs
)
except jwt.DecodeError:
return dict(message="Token is invalid"), 403
Three follow-ups worth doing at the same time:
- Log the algorithm the server actually applied, separately from the algorithm in the token header. This lets audit tooling see "the server enforced HS256 and the token claimed HS256" or, post-fix, "the server enforced RS256 and the token claimed HS256 — rejected", and flag mismatches.
- Pin
algorithms to the smallest possible set. If Lemur only ever issues HS256, accept only HS256. Don't list every supported algorithm just because the library supports it.
- Migrate to asymmetric signing in a separate hardening PR once the algorithm pin is in. RS256 with key rotation removes the "leaked secret = forge admin" chain entirely.
### References
- https://github.com/Netflix/lemur/security/advisories/
GHSA-r9gp-7f88-9r54
- https://github.com/Netflix/lemur/releases/tag/v1.9.2
Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure
Vulnerability Summary
Executive Summary
The Lemur JWT verifier reads the
algheader field from the unverified token and passes it straight intopyjwt.decode(..., algorithms=[header['alg']]). This is a classic JWT antipattern: the server is supposed to pin the algorithm, not the attacker. PyJWT 2.x's default config rejectsalg=none, so this is not a single-request ATO today — I want to be precise about that. The bug is a hardening gap with two real consequences. First, if the deployment ever migrates to asymmetric signing (RS256/ES256), an attacker can pinalg=HS256and forge tokens using the public key as the HMAC secret — the legacy "RS256→HS256 confusion" trick. Second, the audit-log surface that recordsalgto flag anomalous tokens is filled in from the attacker's header, so anomaly detection is blinded. I'm submitting this honestly at MEDIUM 4.8 (defense-in-depth) rather than inflating it; the chain to single-request ATO is documented but it depends on a separate disclosure bug.Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a
Description
lemur/lemur/auth/service.py:130-137:fetch_token_headerdecodes the JWT's first segment (base64-decoded JSON, no signature check) and returns the header object.header_data["alg"]is whatever the bearer of the token put there. That value is then handed todecode_with_multiple_secrets, which callspyjwt.decode(..., algorithms=[<attacker_value>]). Thealgorithmsparameter is meant to be the server's pinned allowlist of acceptable signing algorithms — the line that says "I will accept HS256 and nothing else". By reading it from the token, Lemur asks the attacker which algorithm to trust.Why this is MEDIUM and not CRITICAL today: PyJWT 2.x's
decode()rejectsalg=noneregardless of thealgorithmsparameter (PyJWT enforces this injwt.algorithms.NoneAlgorithm.verify). I confirmed this in the lab — a forgedalg=nonetoken comes back asHTTP 403 {"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}. The classic single-requestalg=noneATO is closed by the library, not by Lemur.Why this still matters:
algorithms=is supposed to prevent. The widely-cited "RS256→HS256 confusion" attack works by pinningalg=HS256and using the RS256 public key as the HMAC secret. The fix everyone teaches for that attack is "server pins the algorithm". Lemur doesn't, so the protection has a hole the moment the deployment moves to asymmetric signing.nonecheck, or a downgrade to a vulnerable PyJWT for any reason, re-opens single-request ATO. Defense-in-depth means not relying on library defaults to backstop the framework's own validation.algto detect "this token claims an algorithm we don't issue" sees only what the attacker put in the header. A realHS256token forged by an attacker who pinsalg=ES256(or any garbage that survivesdecode) bypasses naive alg-based anomaly heuristics.LEMUR_TOKEN_SECRET(a debug page, an unguarded/metrics, an SSRF-to-config, an S3 backup leak, a git history accident) immediately turns into HS256 forgery — and the alg-from-header sink leaves the verifier downgradeable even after an operator migrates to RS256 later.I'm framing this as a hardening defect at MEDIUM 4.8 because that's what the evidence supports. The chain step (config disclosure → forge admin) is demonstrated in the lab as a clear "what happens if this chain links" walk-through, not as a primary claim.
Proof of Concept & Steps to Reproduce
Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a. Offline cast:
lemur_jwt_alg_hardening.cast. Harness:lemur_jwt_alg_hardening/support/(lemur_jwt_mock.pymirrorslemur/auth/service.py:130-137line-for-line).Prerequisites: Docker,
curl,jq,python3with PyJWT.Run
Step 1 — Baseline legitimate login
Response (
evidence/03_login_response.json):/api/1/users/mewith that token returns 200 — baseline auth path works.Step 2 — Confirm the antipattern in source
Output is the verbatim Lemur block:
The mock applies the same code path. No transformation, no allowlist, no server pin.
Step 3 — Forge
alg=none(PyJWT 2.x rejects)Response (
evidence/05_alg_none_attempt.json):HTTP 403. Body:{"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}.This is honest: PyJWT 2.x closes the single-request
alg=nonepath. The antipattern is not directly exploitable at this PyJWT version.Step 4 — Chain demo: config disclosure → HS256 forgery
The lab simulates an upstream disclosure issue by
docker exec-ing into the container and reading/app/lemur.conf.py. In production this corresponds to any of: a/metricspage that echoes config, a debug error that printscurrent_app.config, an SSRF that reachesfile:///app/lemur.conf.py, a misindexed git history, an S3 backup with the config file. The lab does not invent a separate vulnerability — it documents what happens when one of those exists.Forge an admin JWT with the leaked secret:
Send it:
Response (
evidence/06_forged_admin_response.json):HTTP 200,
role=admin. The forgery succeeds because (a) the attacker pickedalg=HS256, (b) the server didn't pin its own algorithm, and (c) the secret was disclosed by the separate upstream issue. If the alg-from-header sink were fixed, even a leaked HS256 secret would not extend to whatever asymmetric algorithm the operator migrates to next — the attacker would have to also break the asymmetric key.Step 5 — Verdict
Exploit Code & Lab Set-up
Lemur-jwt-alg-hardening.zip
Root Cause Analysis
The pattern in
auth/service.py:130-137is what every JWT-library author warns against.pyjwt.decode'salgorithmsparameter exists precisely to pin the server's accepted set; the documentation calls out that callers should never pass the value from the token header. The author of this block likely intended to support multiple deployment configurations (some on HS256, some on RS256) and dispatched on the token's claimed algorithm — but the right way to do that isalgorithms=current_app.config["JWT_ACCEPTED_ALGS"](a server-pinned list), notalgorithms=[header_data["alg"]](the attacker's preference).The PyJWT 2.x mitigation is the only thing standing between this code and a single-request
alg=noneATO. That mitigation lives in PyJWT'sNoneAlgorithm.verify, which raisesInvalidKeyErrorwhenalg=noneis supplied with a non-None key. Lemur passes a real key, so the path raises and Lemur catches it asjwt.DecodeErrorand returns 403. Good — but the protection is in the dependency, not in Lemur's code. A PyJWT-1.x backport, an accidental downgrade, or a future PyJWT behaviour change re-opens the door.The RS256→HS256 confusion variant is the more durable concern. If an operator migrates Lemur from HS256 to RS256 — a normal hardening step — the attacker pins
alg=HS256in the header and uses the RS256 public key as the HMAC secret. PyJWT 2.x'sdecode_completedoes call_verify_signaturewith the supplied algorithm, and if the algorithm is HS256 and the "secret" is the bytes of the RS256 public key, the verifier passes. The fix is a server-pinned algorithm list; if the server only accepts["RS256"], an attacker-suppliedalg=HS256token fails at thealgorithmscheck before any key material is consulted.The MEDIUM 4.8 score honestly reflects what's exploitable today: the antipattern is real, the impact today is limited to (a) audit-log blinding and (b) a downgrade primitive that activates under separate conditions. I'm explicitly not claiming RS256→HS256 against current Lemur because Lemur today is HS256 — the "RS256 → HS256" trick doesn't apply because Lemur's secret arg is HMAC bytes, not an RSA pubkey. The fix is still worth making.
Attack Scenario
Impact Assessment
Today, in a fully-patched Lemur 1.9.0 on PyJWT 2.x, the standalone impact is C:L (audit-log surface is attacker-influenced) / I:L (an attacker who controls
algcan downgrade a future verifier upgrade) / A:N. The vector requires no user interaction — the attacker just sends a crafted token directly — but AC:H reflects the real-world conditions that have to align (PyJWT version, future migration to asymmetric signing, or a separate disclosure issue) before standalone impact materializes. That's the 4.8 MEDIUM score. The chain step to single-request ATO depends on a separate disclosure issue, which I'm not claiming as part of this report.The reason this is worth fixing now rather than later is that it's a one-line change with no behavioural risk, and the consequence of leaving it in place is a permanent downgrade vector against any algorithm migration Netflix later decides to do. Lemur's role in the certificate-signing pipeline makes its session tokens unusually high-value — anyone who forges a Lemur admin JWT can issue, revoke, and exfiltrate certificates across the org. The Lemur PKI compromise report submitted separately (ACME
acme_urlSSRF + creator IDOR) shows what an admin Lemur identity can do in practice.If Lemur ever moves to asymmetric signing without fixing this sink, the score moves to CRITICAL on the same day. Fix it now.
Remediation
One-line server pin:
Three follow-ups worth doing at the same time:
- Log the algorithm the server actually applied, separately from the algorithm in the token header. This lets audit tooling see "the server enforced HS256 and the token claimed HS256" or, post-fix, "the server enforced RS256 and the token claimed HS256 — rejected", and flag mismatches.
- Pin
- Migrate to asymmetric signing in a separate hardening PR once the algorithm pin is in. RS256 with key rotation removes the "leaked secret = forge admin" chain entirely.
### References - https://github.com/Netflix/lemur/security/advisories/GHSA-r9gp-7f88-9r54 - https://github.com/Netflix/lemur/releases/tag/v1.9.2algorithmsto the smallest possible set. If Lemur only ever issues HS256, accept only HS256. Don't list every supported algorithm just because the library supports it.