jsonwebtoken has Type Confusion that leads to potential authorization bypass
Description
jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsonwebtokencrates.io | < 10.3.0 | 10.3.0 |
Affected products
22- osv-coords21 versionspkg:apk/chainguard/komodo-corepkg:apk/chainguard/lakekeeperpkg:apk/chainguard/lycheepkg:apk/chainguard/py3.10-hf-xetpkg:apk/chainguard/py3.11-hf-xetpkg:apk/chainguard/py3.12-hf-xetpkg:apk/chainguard/py3.13-hf-xetpkg:apk/chainguard/qdrantpkg:apk/chainguard/uvpkg:apk/chainguard/wasmcloudpkg:apk/chainguard/zedpkg:apk/wolfi/lycheepkg:apk/wolfi/py3.10-hf-xetpkg:apk/wolfi/py3.11-hf-xetpkg:apk/wolfi/py3.12-hf-xetpkg:apk/wolfi/py3.13-hf-xetpkg:apk/wolfi/qdrantpkg:apk/wolfi/uvpkg:apk/wolfi/wasmcloudpkg:apk/wolfi/zedpkg:cargo/jsonwebtoken
< 2.0.0-r0+ 20 more
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 0.12.1-r0
- (no CPE)range: < 0.22.0-r4
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.16.3-r4
- (no CPE)range: < 0.10.2-r1
- (no CPE)range: < 2.0.1-r0
- (no CPE)range: < 0.223.3-r0
- (no CPE)range: < 0.22.0-r4
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.2.0-r5
- (no CPE)range: < 1.16.3-r4
- (no CPE)range: < 0.10.2-r1
- (no CPE)range: < 2.0.1-r0
- (no CPE)range: < 0.223.3-r0
- (no CPE)range: < 10.3.0
- Keats/jsonwebtokenv5Range: < 10.3.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-h395-gr6q-cpjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25537ghsaADVISORY
- github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01ghsax_refsource_MISCWEB
- github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.