Javascript Jwt Lack Of Expiration
Description
This vulnerability detector identifies JWT (JSON Web Token) implementations that lack proper expiration time configuration. JWTs without expiration times remain valid indefinitely, creating a significant security risk where compromised tokens can be used perpetually for unauthorized access.
Detection Strategy
• Scans JavaScript source code for JWT creation or signing operations
• Identifies JWT library function calls such as jwt.sign(), jsonwebtoken.sign(), or similar token generation methods
• Analyzes the payload or options parameters passed to JWT functions to check for expiration-related fields
• Reports a vulnerability when JWT tokens are created without specifying expiration time fields like 'exp', 'expiresIn', or similar time-based constraints
• Focuses on JWT implementations where tokens are generated without any temporal limitations that would automatically invalidate them
Vulnerable code example
const jwt = require("jsonwebtoken");
const SECRET = "super-secret-key";
// VULNERABLE: No expiresIn option - token never expires
const token1 = jwt.sign(
{ userId: 1, role: "admin" },
SECRET...✅ Secure code example
const jwt = require("jsonwebtoken");
const SECRET = "super-secret-key";
// SECURE: Added expiresIn option - token expires in 1 hour
const token1 = jwt.sign(
{ userId: 1, role: "admin" },
SECRET,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.