Analyze and understand potential path traversal vulnerabilities in JWT headers.
The kid (Key ID) header parameter is intended to tell the server which key to use for signature verification. Vulnerabilities occur when servers use this value directly to load a file from the local filesystem (e.g., fs.readFileSync('/keys/' + kid)). An attacker can inject path traversal sequences like ../../ to access sensitive system files.
Allows attackers to force the server to load arbitrary files, potentially leaking system credentials or private keys.
Always whitelist permitted kid values and avoid path concatenation with user-supplied input.
Paste a token to begin analysis.
Enter a JWT to analyze the security risk of the 'kid' header parameter.