JWT authentication can be bypassed when AuthorizationPolicy is misused.
|CVSS Impact Score
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
JWT authentication bypass with unknown issuer token
- CVSS Score: 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
You are subject to the vulnerability if you are using
RequestAuthentication alone for JWT validation.
You are not subject to the vulnerability if you use both
AuthorizationPolicy for JWT validation.
For Istio, this vulnerability only exists if your service:
- Accepts JWT tokens (with
- Has some service paths without
For the service paths that both conditions are met, an incoming request with a JWT token, and the token issuer is not in
RequestAuthentication will bypass the JWT validation, instead of getting rejected.
For proper JWT validation, you should always use the
AuthorizationPolicy as documented on istio.io for
specifying a valid token.
To do this you will have to audit all of your
RequestAuthentication and subsequent
AuthorizationPolicy resources to
make sure they align with the documented practice.
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.