express-jwt pinned to 0.1.3 — pre-6.0 algorithm verification bypass

The dependency block contains:

"express-jwt": "0.1.3",

express-jwt versions before 6.0.0 are affected by CVE-2020-15084: the library did not enforce the algorithms option, so an attacker can craft a token signed with HS256 using the server's RSA public key as the HMAC secret (algorithm confusion), or otherwise bypass verification. 0.1.3 is one of the earliest published versions and predates virtually every security fix this package has shipped. There is no inline justification or override; this is loaded as a production dependency.

1. Install the app's deps so express-jwt@0.1.3 is resolved.
2. Obtain the server's RS256 public key (commonly exposed at a JWKs endpoint or in source).
3. Forge a JWT with header {"alg":"HS256"} and sign it using the public key as the HMAC secret.
4. Send it as Authorization: Bearer <token>; the middleware accepts it as a valid RS256-issued token.

Any route protected by this middleware can be reached as an arbitrary user (including admin), with no credentials required beyond knowledge of the public key. Unauthenticated → full auth bypass on protected APIs.

The package.json line "express-jwt": "0.1.3" is an exact pin to a version released in 2013, far predating the 6.0.0 fix for CVE-2020-15084 (and many other express-jwt advisories such as CVE-2014-7191 / GHSA-c2qf-rxjj-qqgw on algorithm verification). The companion "jsonwebtoken": "0.4.0" pin further confirms an unpatched JWT stack vulnerable to algorithm confusion / signature bypass. Per scope guidance, Juice Shop is to be evaluated as a real production app, so the intentional-vulnerability nature is not a mitigation. The exploit chain (forge HS256 token signed with the RSA public key) is directly reachable on any route guarded by the resulting middleware.

The dependency block pins "express-jwt": "0.1.3", a version vulnerable to CVE-2020-15084 where the algorithms option is not enforced, enabling algorithm-confusion (signing with HS256 using the RSA public key as the HMAC secret) or even alg:none bypasses. Exploitation is performed remotely over HTTP by sending an Authorization: Bearer <forged> header to any route guarded by this middleware, requiring no credentials and no victim interaction. The PoC requires only the server's public key (which is public by design), so AC remains Low. The result is a complete authentication bypass allowing impersonation of arbitrary users including admin, yielding full Confidentiality, Integrity, and Availability impact within the application's security authority (Scope: Unchanged).