The appsup-dart jose library versions before 0.3.5+1 suffer from improper verification of cryptographic signatures (CWE-347). Specifically, the library treats a JSON Web Key (jwk) embedded in the JOSE header as a valid verification key without ensuring it is present in the trusted key store. Since JOSE headers are untrusted input, an attacker can craft a token with a malicious jwk in the header and sign it with the corresponding private key, resulting in forged valid tokens. This vulnerability affects applications using the affected versions for token verification. The issue is resolved in version 0.3.5+1. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.

An attacker can forge valid JWS/JWT tokens without authentication by exploiting the improper verification of cryptographic signatures. This can lead to unauthorized actions or access in applications relying on the vulnerable jose library for token verification. There is no reported exploitation in the wild as of the published date.

A fix is available in appsup-dart jose version 0.3.5+1. Users should upgrade to this version or later to remediate the vulnerability. As a workaround, applications should reject tokens containing a jwk header unless the key matches one already present in the application's trusted key store. No other mitigation steps are specifically recommended by the vendor advisory.