CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01	Patch
https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc	Exploit Vendor Advisory
https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:keats:jsonwebtoken:*:*:*:*:*:rust:*:*

History

No history.

Information

Published : 2026-02-04 22:15

Updated : 2026-02-11 19:13

NVD link : CVE-2026-25537

Mitre link : CVE-2026-25537

CVE.ORG link : CVE-2026-25537

JSON object : View

Products Affected

keats

jsonwebtoken

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2026-25537", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T22:15:59.807", "references": [{"url": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0."}, {"lang": "es", "value": "jsonwebtoken es una librer\u00eda JWT en Rust. Antes de la versi\u00f3n 10.3.0, existe una vulnerabilidad de confusi\u00f3n de tipos en jsonwebtoken, espec\u00edficamente, en su l\u00f3gica de validaci\u00f3n de declaraciones. Cuando una declaraci\u00f3n est\u00e1ndar (como nbf o exp) se proporciona con un tipo JSON incorrecto (como una cadena de texto en lugar de un n\u00famero), el mecanismo de an\u00e1lisis interno de la librer\u00eda marca la declaraci\u00f3n como 'FailedToParse'. Crucialmente, la l\u00f3gica de validaci\u00f3n trata este estado 'FailedToParse' id\u00e9nticamente a 'NotPresent'. Esto significa que si una verificaci\u00f3n est\u00e1 habilitada (como: validate_nbf = true), pero la declaraci\u00f3n no est\u00e1 expl\u00edcitamente marcada como requerida en required_spec_claims, la librer\u00eda omitir\u00e1 la verificaci\u00f3n de validaci\u00f3n por completo para la declaraci\u00f3n malformada, trat\u00e1ndola como si no estuviera presente. Esto permite a los atacantes eludir restricciones de seguridad cr\u00edticas basadas en el tiempo (como las verificaciones de 'Not Before') y realizar posibles elusiones de autenticaci\u00f3n y autorizaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 10.3.0."}], "lastModified": "2026-02-11T19:13:47.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:keats:jsonwebtoken:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "2D8E0C7E-4688-48CB-B2EE-68D277D56183", "versionEndExcluding": "10.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}