-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| atlassian-connect-express | npm | >= 3.0.2, < 6.6.0 | 6.6.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper JWT type validation in authentication middleware. The critical function is addon.authenticate() which handles request authentication. In vulnerable versions (3.0.2-6.5.0), this middleware didn't properly restrict context JWTs in lifecycle endpoints. The patch requires explicit skipQshVerification=true parameter for context JWT endpoints, indicating the base authenticate() function was missing server-to-server JWT enforcement. This matches community guidance showing vulnerable endpoints used standard authenticate() while fixed implementations require parameterization.