CVE-2025-59934
📋 TL;DR
This vulnerability allows attackers to bypass authentication in Formbricks by forging JWT tokens without signature verification. Attackers who know a victim's user ID can create arbitrary tokens to impersonate users and reset passwords. All Formbricks instances running versions before 4.0.1 are affected.
💻 Affected Systems
- Formbricks
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and system compromise.
Likely Case
Unauthorized password resets and account takeovers of regular users, potentially exposing sensitive survey data and user information.
If Mitigated
Limited impact with proper network segmentation and monitoring, but authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires knowledge of victim's user ID but is technically simple once obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.1
Vendor Advisory: https://github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4
Restart Required: Yes
Instructions:
1. Update Formbricks to version 4.0.1 or later. 2. Restart the Formbricks service. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable vulnerable endpoints
allTemporarily disable email verification and password reset functionality until patched.
Implement WAF rules
allBlock requests containing JWT tokens with alg: 'none' header.
🧯 If You Can't Patch
- Implement rate limiting on authentication endpoints to slow down brute force attempts
- Enable detailed logging of all authentication attempts and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if Formbricks version is below 4.0.1. Review JWT validation code to ensure jwt.verify() is used instead of jwt.decode().Check Version:
Check package.json or Formbricks admin interface for version information.Verify Fix Applied:
Confirm version is 4.0.1 or higher. Test that forged JWT tokens with alg: 'none' are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login with unusual tokens
- JWT tokens with alg: 'none' in authentication logs
Network Indicators:
- Unusual spikes in authentication requests
- Requests to password reset endpoints from unexpected sources
SIEM Query:
source="formbricks" AND (event="authentication" OR event="password_reset") AND token_alg="none"🔗 References
- https://github.com/formbricks/formbricks/blob/843110b0d6c37b5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts#L114-L117
- https://github.com/formbricks/formbricks/commit/eb1349f205189d5b2d4a95ec42245ca98cf68c82
- https://github.com/formbricks/formbricks/pull/6596
- https://github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4
