JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens.