CVE-2026-25537 – This vulnerability in the jsonwebtoken Rust lib... (How to Fix)

📋 TL;DR

This vulnerability in the jsonwebtoken Rust library allows attackers to bypass time-based security restrictions like 'Not Before' (nbf) and 'Expiration' (exp) checks by providing malformed claim types. Attackers can potentially bypass authentication and authorization controls in applications using this library. All applications using jsonwebtoken versions before 10.3.0 are affected.

💻 Affected Systems

Products:

jsonwebtoken Rust library

Versions: All versions prior to 10.3.0

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must have validate_nbf or validate_exp enabled but not mark these claims as required in required_spec_claims to be vulnerable.

📦 What is this software?

Jsonwebtoken by Keats

View all CVEs affecting Jsonwebtoken →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected resources and administrative functions.

🟠

Likely Case

Bypass of time-based restrictions allowing expired or premature tokens to be accepted as valid.

🟢

If Mitigated

Limited impact if applications use required_spec_claims to enforce claim validation.

🌐 Internet-Facing: HIGH - JWT tokens are commonly used in web APIs and authentication systems exposed to the internet.

🏢 Internal Only: MEDIUM - Internal systems using JWT authentication remain vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting JWT tokens with string values for numeric claims like nbf or exp.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.3.0

Vendor Advisory: https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require jsonwebtoken >=10.3.0
2. Run 'cargo update jsonwebtoken'
3. Rebuild and redeploy your application

🔧 Temporary Workarounds

Enforce required claims

all

Mark nbf and exp claims as required in required_spec_claims configuration

// In your JWT validation code, ensure required_spec_claims includes "nbf" and "exp"

🧯 If You Can't Patch

Implement additional validation layer to check claim types before passing to jsonwebtoken
Use web application firewall rules to detect and block malformed JWT tokens

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for jsonwebtoken version <10.3.0

Check Version:

grep jsonwebtoken Cargo.lock | grep version

Verify Fix Applied:

Verify jsonwebtoken version is >=10.3.0 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with unusual JWT claim types
Successful authentications with expired or future-dated tokens

Network Indicators:

HTTP requests with JWT tokens containing string values for numeric claims

SIEM Query:

source="application_logs" AND ("FailedToParse" OR "malformed claim" OR "invalid claim type")

📊 Metadata

CVE ID: CVE-2026-25537

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-843

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: February 4, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 Patch
https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Exploit,Vendor Advisory
https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25537, you might also want to check these: