Token Time Bomb: Evaluating JWT Implementations for Vulnerability Discovery
Jingcheng Yang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Systems Security
This research presents **JWTable**, the first systematic framework for automatically discovering vulnerabilities in JWT (JSON Web Token) implementations. By combining grammar-based fuzzing with differential analysis, the tool evaluated **43 JWT libraries** across **10 programming languages** and discovered **31 new vulnerabilities** with **20 CVEs assigned**. The vulnerabilities span three critical categories: **sign/encryption confusion** (authentication bypass), **algorithm confusion** (signature forgery), and **JWT format confusion** (payload spoofing), plus two denial-of-service categories via CPU and memory exhaustion.
AI review
A systematic JWT vulnerability discovery framework that found 31 new vulnerabilities (20 CVEs) across 43 libraries, including a Kubernetes authentication bypass and a pre-auth DoS in Apache James. The FBNF grammar extension for cryptographic protocol fuzzing is well-designed, and having mitigations adopted into the IETF RFC draft demonstrates real-world impact. The vulnerability categories (format confusion, algorithm confusion, compression DoS) are immediately exploitable.