CVE-2025-59936
📋 TL;DR
CVE-2025-59936 is a cache poisoning vulnerability in get-jwks library that allows attackers to bypass JWT issuer validation. By manipulating cached JWKS keys, malicious actors can make systems accept tokens from unauthorized issuers. This affects applications using get-jwks versions before 11.0.2 for JWT validation.
💻 Affected Systems
- get-jwks
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected resources, potential privilege escalation, and data exposure.
Likely Case
Authentication bypass for specific endpoints or services relying on JWT validation, potentially leading to unauthorized API access.
If Mitigated
Limited impact if additional validation layers exist beyond get-jwks, but still creates security gaps.
🎯 Exploit Status
Requires ability to craft JWTs and trigger cache poisoning, but no authentication needed for the exploit itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.2
Vendor Advisory: https://github.com/nearform/get-jwks/security/advisories/GHSA-qc2q-qhf3-235m
Restart Required: No
Instructions:
1. Update get-jwks to version 11.0.2 or later using npm update get-jwks. 2. Verify the update with npm list get-jwks. 3. Test JWT validation functionality.
🔧 Temporary Workarounds
Implement issuer validation before key retrieval
allModify application code to validate JWT issuer before calling get-jwks for key retrieval
Disable JWKS caching
allConfigure get-jwks to not cache JWKS keys, eliminating the cache poisoning vector
Set cache: false in get-jwks configuration
🧯 If You Can't Patch
- Implement additional JWT validation layers independent of get-jwks
- Monitor authentication logs for unusual issuer patterns or validation failures
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list get-jwks to see if version is below 11.0.2Check Version:
npm list get-jwks | grep get-jwksVerify Fix Applied:
Confirm get-jwks version is 11.0.2 or higher with npm list get-jwks📡 Detection & Monitoring
Log Indicators:
- Multiple JWT validation failures with different issuers
- Unusual issuer claims in JWT validation logs
- Cache-related errors in get-jwks logs
Network Indicators:
- Unusual JWKS endpoint requests from single source
- Multiple JWT validation attempts with varying issuers
SIEM Query:
source="application_logs" AND ("get-jwks" OR "JWT validation") AND ("issuer mismatch" OR "validation failed")