CVE-2025-3757 – OpenPubkey library versions before 0.10.0 conta... (How to Fix)

Q: What is the severity of CVE-2025-3757?

CVE-2025-3757 has a CVSS score of 9.8 (CRITICAL). OpenPubkey library versions before 0.10.0 contain a signature verification bypass vulnerability in JWS (JSON Web Signature) handling. Attackers can forge signatures to impersonate legitimate users or services. Any application using vulnerable OpenPubkey versions for authentication or authorization is affected.

📋 TL;DR

OpenPubkey library versions before 0.10.0 contain a signature verification bypass vulnerability in JWS (JSON Web Signature) handling. Attackers can forge signatures to impersonate legitimate users or services. Any application using vulnerable OpenPubkey versions for authentication or authorization is affected.

💻 Affected Systems

Products:

OpenPubkey library

Versions: All versions prior to 0.10.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using OpenPubkey for JWS signature verification is vulnerable regardless of configuration.

📦 What is this software?

Openpubkey by Openpubkey

View all CVEs affecting Openpubkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through forged authentication tokens, allowing attackers to impersonate any user, escalate privileges, or bypass all access controls.

🟠

Likely Case

Authentication bypass leading to unauthorized access to protected resources, data theft, or privilege escalation.

🟢

If Mitigated

Limited impact if additional authentication layers exist, but signature-based trust is still broken.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-305 indicates authentication bypass, suggesting straightforward exploitation once the JWS manipulation method is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.0

Vendor Advisory: https://github.com/openpubkey/openpubkey

Restart Required: No

Instructions:

1. Update OpenPubkey dependency to version 0.10.0 or later. 2. For Go projects: run 'go get github.com/openpubkey/openpubkey@v0.10.0'. 3. Rebuild and redeploy applications.

🔧 Temporary Workarounds

Input validation for JWS tokens

all

Implement additional validation of JWS token structure before passing to OpenPubkey

🧯 If You Can't Patch

Implement additional authentication layers (MFA, IP whitelisting)
Monitor for anomalous authentication patterns and JWS token usage

🔍 How to Verify

Check if Vulnerable:

Check package.json, go.mod, or dependency files for OpenPubkey version <0.10.0

Check Version:

For Go: 'go list -m github.com/openpubkey/openpubkey'

Verify Fix Applied:

Confirm OpenPubkey version is 0.10.0 or higher in dependency files

📡 Detection & Monitoring

Log Indicators:

Failed signature verification attempts
Unusual authentication patterns
JWS tokens with unexpected structure

Network Indicators:

Authentication requests with malformed JWS tokens
Traffic spikes to authentication endpoints

SIEM Query:

Authentication logs where JWS verification status changes unexpectedly

📊 Metadata

CVE ID: CVE-2025-3757

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-305

EPSS Score: 0.06% exploit probability (17th percentile)

Published: May 13, 2025

Last Updated: May 23, 2025

🔗 References

https://github.com/openpubkey/openpubkey Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3757, you might also want to check these: