CVE-2025-30144Authentication Bypass by Spoofing in Fast-jwt

CWE-290Authentication Bypass by SpoofingCWE-345Insufficient Verification of Data Authenticity3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
1.8%
top 17.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nearform Fast-jwt
Timeline
PublishedMar 19

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 2.2 | Impact: 4.2

Affected Packages2 packages

CVEListV5nearform/fast-jwt< 5.0.6
npmnearform/fast-jwt< 5.0.6

🔴Vulnerability Details

2
GHSA
Fast-JWT Improperly Validates iss Claims2025-03-19
OSV
Fast-JWT Improperly Validates iss Claims2025-03-19