>

HTB Profile HTB Activity HTB Transcript
CriticalCVSS 9.1CVE-2026-44351GHSA-gmvf-9v4p-v8jc

The Empty String That Bypassed JWT Verification: GHSA-gmvf-9v4p-v8jc

A zero-length HMAC key in fast-jwt 6.2.3 lets an attacker forge any JWT and pass signature verification. Here's the bug, the bypass walked through end to end, and the four-line fix that closes it.

read advisory
custom tooling
// 7 tools
credentials
all credentials →
HTB CAPE · HTB Certified Active Directory Pentesting Expert
Hack The Box
Apr 2026
HTB CPTS · HTB Certified Penetration Testing Specialist
Hack The Box
Jan 2025
CRTP · Certified Red Team Professional
Altered Security
Jan 2025
HTB CWES · HTB Certified Web Exploitation Specialist
Hack The Box
Mar 2024
HTB CDSA · HTB Certified Defensive Security Analyst
Hack The Box
Jan 2024
C|EH · Certified Ethical Hacker
EC-Council
Jun 2018
Offline Mode
// 4 cards
  • >speedcubing~13s pb · Solving Rubik's cubes as fast as possible. A perfect blend of muscle memory, algorithms, and 3D logic.
  • >music productionsound design · Composing and producing electronic music with Ableton Live, Logic Pro, and FL Studio.
  • >hardwareiot, lorawan · Tinkering with microcontrollers, Raspberry Pi, and IoT devices.
  • >photographynature · Looking for the stories hidden in the scenery.