CVE-2025-30144 – The fast-jwt library prior to version 5.0.6 imp... (How to Fix)

📋 TL;DR

The fast-jwt library prior to version 5.0.6 improperly validates JWT issuer claims, allowing attackers to forge tokens by including both legitimate and malicious domains in an array. This enables authentication bypass in applications that rely on fast-jwt for JWT validation. Any application using vulnerable versions of fast-jwt for JWT processing is affected.

💻 Affected Systems

Products:

fast-jwt

Versions: All versions prior to 5.0.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using fast-jwt for JWT validation with issuer claim checking enabled are vulnerable. The vulnerability is present in the default configuration when issuer validation is used.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing attackers to impersonate any user, access protected resources, and potentially escalate privileges.

🟠

Likely Case

Authentication bypass enabling unauthorized access to application features and data that should be protected by JWT validation.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers, but still represents a security control bypass.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to craft a JWT with an array containing both legitimate and malicious issuer domains. No authentication is needed to present a forged JWT.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.6

Vendor Advisory: https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8

Restart Required: No

Instructions:

1. Update fast-jwt to version 5.0.6 or later using npm: npm update fast-jwt
2. Verify the update completed successfully
3. Test JWT validation functionality in your application

🔧 Temporary Workarounds

Custom issuer validation

all

Implement custom issuer validation logic that rejects arrays and only accepts single string values

// In your JWT validation code, add custom issuer checking:
const validateIssuer = (iss) => {
  if (Array.isArray(iss)) return false;
  return iss === 'https://your-legitimate-issuer.com';
}

🧯 If You Can't Patch

Implement additional authentication layers such as multi-factor authentication
Deploy a WAF with JWT validation rules to inspect and block malformed tokens

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list fast-jwt

Check Version:

npm list fast-jwt | grep fast-jwt

Verify Fix Applied:

Verify installed version is 5.0.6 or higher: npm list fast-jwt | grep fast-jwt

📡 Detection & Monitoring

Log Indicators:

JWT validation failures with array issuer claims
Unusual authentication patterns from unexpected issuers

Network Indicators:

HTTP requests with JWTs containing array issuer claims

SIEM Query:

source="application_logs" AND ("iss": [ OR "issuer": [)

📊 Metadata

CVE ID: CVE-2025-30144

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-290

EPSS Score: 1.69% exploit probability (81.9th percentile)

Published: March 19, 2025

Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30144, you might also want to check these: