Applications decoding JSON Web Tokens (JWT) may be misconfigured due to the None algorithm.

The None algorithm is selected by calling the verify() function with a falsy value instead of a cryptographic secret or key. The None algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.

Calls to verify() functions should use a cryptographic secret or key to decode JWT payloads.

In the example below, false is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.

The following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.

Auth0 Blog: Meet the "None" Algorithm.