Description
jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

Type confusion in the Rust JWT library allows an attacker to craft a JWT that contains standard claims such as "nbf" or "exp" with an incorrect JSON type, causing the parser to mark the claim as "FailedToParse" and treat it as if the claim were not present. Because the validation logic treats a failed parse identically to a missing claim and because the claim is not marked as required in "required_spec_claims", the library skips validation, permitting the attacker to bypass time‑based restrictions. This flaw can enable authentication or authorization circumvention without the proper credential checks.

Affected Systems

The vulnerability affects all versions of Keats' "jsonwebtoken" Rust library older than 10.3.0. Any application, service, or component that links against this library for JWT validation is potentially exposed, regardless of operating system or deployment environment, as long as the vulnerable version is in use.

Risk and Exploitability

The flaw carries a CVSS score of 5.5 and an EPSS of less than 1%, reflecting moderate severity and a low probability of real‑world exploitation. Attackers can enact the vulnerability by supplying a maliciously crafted JWT to any application endpoint that performs token validation—such as web APIs or authentication middleware—provided they can influence the token payload. The requirement to forge a JWT with the wrong claim type limits the attack to contexts where the attacker has control over token creation or possesses the signing key, thereby bounding risk to systems that issue or process tokens from untrusted sources.

Generated by OpenCVE AI on April 17, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the jsonwebtoken library to version 10.3.0 or later. This patch removes the type‑confusion bug so claim validation behaves correctly.
  • If an immediate upgrade is not possible, add custom validation logic that rejects JWTs where the "nbf" or "exp" claims are not numeric values, ensuring that malformed claims are treated as errors rather than ignored. In applications that already enforce required_spec_claims, extend the enforcement to critical time‑based claims to counter the bug.
  • Consider substituting the vulnerable library with an alternative JWT implementation that enforces strict claim type validation if the current environment cannot be upgraded promptly.

Generated by OpenCVE AI on April 17, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h395-gr6q-cpjc jsonwebtoken has Type Confusion that leads to potential authorization bypass
History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:keats:jsonwebtoken:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Sat, 07 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Keats
Keats jsonwebtoken
Vendors & Products Keats
Keats jsonwebtoken

Wed, 04 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.
Title jsonwebtoken has Type Confusion that leads to potential authorization bypass
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Keats Jsonwebtoken
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T20:52:48.021Z

Reserved: 2026-02-02T19:59:47.374Z

Link: CVE-2026-25537

cve-icon Vulnrichment

Updated: 2026-02-05T20:52:32.068Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:15:59.807

Modified: 2026-02-11T19:13:47.607

Link: CVE-2026-25537

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T21:31:53Z

Links: CVE-2026-25537 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses