react-doctor/jwt-insecure-verification
JWT verified with the 'none' algorithm
- Category: Security
- Severity: error
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Tags: security-scan
- Default: Enabled
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Confirm the reported code matches JWT verified with the 'none' algorithm. Check the framework context and diagnostic message before suppressing it.
Fix prompt
Use this once validation confirms the diagnostic is real.
Never accept the none algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (jwt.verify(token, key, { algorithms: ['RS256'] })).
Related rules
More Security rules from the rules reference:
react-doctor/key-lifecycle-risk: A private key or release credential committed inline to the repo is exposed in git history and must be rotated and revoked.react-doctor/local-rpc-native-bridge-risk: A localhost or native bridge that accepts loose origins and exposes install/update or shell commands lets a malicious web page drive native actions on the user's machine.react-doctor/mcp-tool-capability-risk: An MCP tool runs with the connecting client's authority, so reaching shell, filesystem, or network primitives without validation lets injected input abuse them.react-doctor/mdx-ssr-execution-risk: Compiling untrusted MDX with the full pipeline runs attacker-supplied JSX and expressions on your server, which can lead to code execution.react-doctor/nextjs-no-side-effect-in-get-handler: Move the side effect to a POST handler and use a <form> or fetch with method POST — GET requests can be triggered by prefetching and are vulnerable to CSRF