Improper JWT Audience Validation occurs when an application accepts a JSON Web Token (JWT) without verifying the `aud` (audience) claim. The `aud` claim specifies which service or application the token is intended for. If this validation step is skipped, a token issued for one service (e.g., Service A) can be replayed against another service (e.g., Service B). This allows adversaries to bypass authentication boundaries, impersonate users across services, or escalate privileges by reusing tokens outside their intended scope.
Remediation
Always validate the `aud` claim during JWT verification, ensuring the token was issued for the current service or API.
Reject tokens with missing or unexpected `aud` values.
Apply strict validation of other critical claims (`iss`, `exp`, `nbf`) in addition to `aud`.
Use distinct audience values for each service and avoid reusing the same JWT across multiple applications.
Prefer well-vetted JWT libraries that enforce claim validation by default rather than rolling custom verification logic.
Regularly audit authentication flows to confirm that audience checks are consistently applied.
Metadata
Severity: high
Slug: improper-jwt-audience-validation
CWEs
345: Insufficient Verification of Data Authenticity
285: Improper Authorization
287: Improper Authentication
OWASP
A01:2021: Broken Access Control
A07:2021: Identification and Authentication Failures
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
