CVE-2025-30144

EPSS 1.83%
Veröffentlicht 19.03.2025 15:41:19
Zuletzt bearbeitet 19.03.2025 16:15:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like get-jwks that do not independently validate the iss claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the iss array, alongside the legitimate issuer, and bypass the intended security checks. This issue is fixed in 5.0.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellernearform

≫

Produkt fast-jwt

Version < 5.0.6

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.83%	0.827

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.2	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8

https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd

https://datatracker.ietf.org/doc/html/rfc7519#page-9

https://nvd.nist.gov/vuln/detail/CVE-2025-30144

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-30144

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-30144

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-30144