CVE-2021-44878

Name: CVE-2021-44878
Creator: NVD / NIST
Published: 2022-01-06T13:15:08.18+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.90%

Last modified Jun 17, 2026

CVE-2021-44878 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.. EPSS estimates a 0.90% chance of exploitation in the next 30 days.

Description

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.90%

54.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-347

Affected Software

Vendor	Product	Versions
Pac4j	Pac4j	< 4.5.5
Pac4j	Pac4j	>= 5.0.0, < 5.3.1

References

https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281aePatch, Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenProduct, Third Party Advisory
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.htmlMitigation, Vendor Advisory
https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281aePatch, Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenProduct, Third Party Advisory
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.htmlMitigation, Vendor Advisory

Timeline

Published: Jan 6, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-44878?

How severe is CVE-2021-44878?

CVE-2021-44878 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.90% probability of exploitation in the next 30 days.

How do I fix CVE-2021-44878?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-44878?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST