We use it, but restrict the sig alg to a couple of known-good values, so am hoping this particular vulnerability is not present in our system.
We had an infosec guy excitedly tell us that PASETO was the future, and we need to change to it right now. It looked good, and a way to avoid some of the possible JiWY issues in the same way having a TLS implementation that only allowed strong ciphers might.
But we have to integrate with so many third party pieces that require JWT it wasn't an option.
We had an infosec guy excitedly tell us that PASETO was the future, and we need to change to it right now. It looked good, and a way to avoid some of the possible JiWY issues in the same way having a TLS implementation that only allowed strong ciphers might.
But we have to integrate with so many third party pieces that require JWT it wasn't an option.