{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25537", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.374Z", "datePublished": "2026-02-04T21:31:53.511Z", "dateUpdated": "2026-02-05T20:52:48.021Z"}, "containers": {"cna": {"title": "jsonwebtoken has Type Confusion that leads to potential authorization bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc"}, {"name": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01", "tags": ["x_refsource_MISC"], "url": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01"}], "affected": [{"vendor": "Keats", "product": "jsonwebtoken", "versions": [{"version": "< 10.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:31:53.511Z"}, "descriptions": [{"lang": "en", "value": "jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0."}], "source": {"advisory": "GHSA-h395-gr6q-cpjc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T20:52:41.199183Z", "id": "CVE-2026-25537", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T20:52:48.021Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25537", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T20:52:41.199183Z"}}}], "references": [{"url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T20:52:32.068Z"}}], "cna": {"title": "jsonwebtoken has Type Confusion that leads to potential authorization bypass", "source": {"advisory": "GHSA-h395-gr6q-cpjc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Keats", "product": "jsonwebtoken", "versions": [{"status": "affected", "version": "< 10.3.0"}]}], "references": [{"url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "name": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01", "name": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:31:53.511Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25537", "state": "PUBLISHED", "dateUpdated": "2026-02-05T20:52:48.021Z", "dateReserved": "2026-02-02T19:59:47.374Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:31:53.511Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keats:jsonwebtoken:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2D8E0C7E-4688-48CB-B2EE-68D277D56183", "versionEndExcluding": "10.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0."}], "id": "CVE-2026-25537", "lastModified": "2026-02-11T19:13:47.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:15:59.807", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jsonwebtoken: jsonwebtoken has Type Confusion that leads to potential authorization bypass", "id": "2436945", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436945"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-843", "details": ["jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25537", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "build-of-trustee/trustee-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "confidential-compute-attestation-tech-preview/trustee-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-model-registry-job-async-upload-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-04T21:31:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25537\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25537\nhttps://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01\nhttps://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:10:05.638407+00:00", "value": {"mitigation_remediation": ["Upgrade the jsonwebtoken library to version 10.3.0 or later. This patch removes the type\u2011confusion bug so claim validation behaves correctly.", "If an immediate upgrade is not possible, add custom validation logic that rejects JWTs where the \"nbf\" or \"exp\" claims are not numeric values, ensuring that malformed claims are treated as errors rather than ignored. In applications that already enforce required_spec_claims, extend the enforcement to critical time\u2011based claims to counter the bug.", "Consider substituting the vulnerable library with an alternative JWT implementation that enforces strict claim type validation if the current environment cannot be upgraded promptly."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Keats' \"jsonwebtoken\" Rust library older than 10.3.0. Any application, service, or component that links against this library for JWT validation is potentially exposed, regardless of operating system or deployment environment, as long as the vulnerable version is in use.", "description_and_impact": "Type confusion in the Rust JWT library allows an attacker to craft a JWT that contains standard claims such as \"nbf\" or \"exp\" with an incorrect JSON type, causing the parser to mark the claim as \"FailedToParse\" and treat it as if the claim were not present. Because the validation logic treats a failed parse identically to a missing claim and because the claim is not marked as required in \"required_spec_claims\", the library skips validation, permitting the attacker to bypass time\u2011based restrictions. This flaw can enable authentication or authorization circumvention without the proper credential checks.", "risk_and_exploitability": "The flaw carries a CVSS score of 5.5 and an EPSS of less than 1%, reflecting moderate severity and a low probability of real\u2011world exploitation. Attackers can enact the vulnerability by supplying a maliciously crafted JWT to any application endpoint that performs token validation\u2014such as web APIs or authentication middleware\u2014provided they can influence the token payload. The requirement to forge a JWT with the wrong claim type limits the attack to contexts where the attacker has control over token creation or possesses the signing key, thereby bounding risk to systems that issue or process tokens from untrusted sources."}}}}, "created": "2026-02-05T11:39:58.105351+00:00", "updated": "2026-04-17T23:15:30.806010+00:00", "vendors": ["keats", "keats$PRODUCT$jsonwebtoken"]}