Cyber Resilience

CVE-2025-30144

Medium

Published: 19 March 2025

Published
19 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0213 84.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30144 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings…

more

as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like get-jwks that do not independently validate the iss claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the iss array, alongside the legitimate issuer, and bypass the intended security checks. This issue is fixed in 5.0.6.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-290 CWE-345

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

addresses: CWE-290 CWE-345

Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses.

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

References