The pac4j-jwt library contains a critical authentication bypass that allows unauthenticated attackers to forge administrative tokens and gain full access to protected applications.

The JwtAuthenticator component fails to properly validate encrypted JSON Web Tokens (JWTs). By possessing the server's RSA public key, an unauthenticated remote attacker can create a JWE-wrapped PlainJWT with arbitrary claims, bypassing signature verification to authenticate as any user, including administrators.

This vulnerability carries a CVSS score of 10.0, as it allows for a total bypass of the application's security layer. An attacker can assume any identity, leading to unauthorized access to sensitive data, administrative functions, and potential full system takeover. This poses a massive risk to any application relying on pac4j for JWT-based security.

Immediate Action: Update the pac4j-jwt dependency to versions 4.5.9, 5.7.9, 6.3.3, or later to ensure proper validation of encrypted tokens.

Proactive Monitoring: Review application logs for unusual administrative logins and inspect JWTs for unexpected "PlainJWT" structures nested within JWE containers.

Compensating Controls: Rotate RSA keys if a compromise is suspected and implement additional multi-factor authentication (MFA) to provide a layered defense against token forgery.

Public Exploit Available: false

Developers and system administrators must prioritize updating the pac4j-jwt library across all affected applications. Failure to patch this vulnerability leaves the application's entire authentication mechanism ineffective against a knowledgeable attacker.