CVE-2026-25537
Published: 04 February 2026
Summary
CVE-2026-25537 is a high-severity Type Confusion (CWE-843) vulnerability in Keats Jsonwebtoken. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in JWT validation library enables remote exploitation of public-facing applications (T1190) via crafted/forged tokens that bypass nbf/exp checks for auth bypass (T1606).
NVD Description
jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON…
more
type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.
Deeper analysisAI
CVE-2026-25537 is a type confusion vulnerability (CWE-843) in the jsonwebtoken library, a Rust implementation for handling JSON Web Tokens (JWTs). Affecting versions prior to 10.3.0, the issue resides in the claim validation logic for standard claims such as "nbf" (not before) or "exp" (expiration). When these claims are provided with an incorrect JSON type—for instance, a string instead of the expected number—the library's parsing mechanism flags them as "FailedToParse." The validation logic then treats this state equivalently to "NotPresent," causing enabled checks (e.g., validate_nbf = true) to be skipped entirely unless the claim is explicitly listed in required_spec_claims.
Remote attackers require no privileges or user interaction to exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By crafting a malicious JWT with a standard claim using the wrong JSON type, an attacker can bypass critical time-based security restrictions. This enables the token to be accepted before its intended "not before" time or after its expiration, potentially leading to authentication and authorization bypasses in applications relying on the library for JWT validation.
The jsonwebtoken security advisories (GHSA-h395-gr6q-cpjc) and the patching commit (abbc3076742c4161347bc6b8bf4aa5eb86e1dc01) confirm that the issue is fully resolved in version 10.3.0. Security practitioners should immediately upgrade affected applications to this version or later to mitigate the vulnerability, as no workarounds are mentioned in the available references.
Details
- CWE(s)