Improper JWT Audience Validation

=== Improper JWT Audience Validation

Improper JWT Audience Validation occurs when an application accepts a JSON Web Token (JWT) without verifying the `aud` (audience) claim. The `aud` claim specifies which service or application the token is intended for. If this validation step is skipped, a token issued for one service (e.g., Service A) can be replayed against another service (e.g., Service B). This allows adversaries to bypass authentication boundaries, impersonate users across services, or escalate privileges by reusing tokens outside their intended scope.

Remediation

Always validate the `aud` claim during JWT verification, ensuring the token was issued for the current service or API.
Reject tokens with missing or unexpected `aud` values.
Apply strict validation of other critical claims (`iss`, `exp`, `nbf`) in addition to `aud`.
Use distinct audience values for each service and avoid reusing the same JWT across multiple applications.
Prefer well-vetted JWT libraries that enforce claim validation by default rather than rolling custom verification logic.
Regularly audit authentication flows to confirm that audience checks are consistently applied.

Metadata

Severity: high
Slug: improper-jwt-audience-validation

CWEs

345: Insufficient Verification of Data Authenticity
285: Improper Authorization
287: Improper Authentication

OWASP

A01:2021: Broken Access Control
A07:2021: Identification and Authentication Failures

Available Labs

Open Python labs in SecDim Play for this vulnerability.

medium

OAuth.py

Python Medium Flask FastAPI Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.