Join me on a journey through my recent source code reviews, where I uncovered vulnerabilities in Navidrome, an open-source music server written in Go, and explored how JWT libraries prevent algorithm confusion attacks in JSON Web Tokens (JWT).
In the first part of this talk, I will share my findings from examining Navidrome’s codebase, discussing specific security issues that emerged from my review, including insights gained from a CVE analysis.
The second part will focus on JWT algorithm confusion—a prevalent security issue that arises when implementations fail to enforce proper algorithm selection. I will examine real-world examples of this vulnerability and outline common strategies that developers use to prevent such issues.
