It's much worse than that. There are like 5 options for the algorithm value, none, RS256, HS256, etc...

The vulnerabilities implies that they don't verify the value against the very limited list of possible values, which is incredibly stupid.