The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repository contains middleware for use with the Application Load Balancer OpenId Connect integration in ASP.NET Core deployments. However, the repository's JWT handling code has a security vulnerability, as it fails to validate the JWT issuer and signer identity. This vulnerability can be exploited if the infrastructure owner allows internet traffic to the ALB targets, allowing an untrusted entity to sign JWTs and mimic valid OIDC-federated sessions. All versions of the repository are affected by this vulnerability. The repository has been deprecated and is no longer actively supported. As a security best practice, users should ensure that their ELB targets do not have public IP addresses. Additionally, users should validate that the signer attribute in the JWT matches the ARN of the Application Load Balancer. This validation is crucial to prevent security breaches. The ALB documentation provides guidance on verifying the signature and validating the signer field in the JWT header. A CVE has been assigned to this vulnerability, CVE-2024-10125. Users with security questions or concerns can email [email protected] for assistance.