What is the CVSS score of CVE-2026-25537?

CVE-2026-25537 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Jsonwebtoken are affected by CVE-2026-25537?

A type confusion vulnerability in the jsonwebtoken Rust library could allow attackers to bypass critical security validations (such as token expiration or not-before checks) by submitting malformed…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25537?

Yes, a public proof-of-concept exploit is available for CVE-2026-25537. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25537?

Within 24 hours: Identify all applications and services using jsonwebtoken library and their current versions. Within 7 days: Apply patch to upgrade jsonwebtoken to version 10.3.0 or later across all affected systems; prioritize production authentication and API gateway services. Within 30 days: Conduct security testing of patched systems and implement monitoring for suspicious JWT claim patterns.

Jsonwebtoken CVE-2026-25537

HIGH

Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)

2026-02-04 security-advisories@github.com

GHSA-h395-gr6q-cpjc

Buffer Overflow Jsonwebtoken Red Hat

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Red Hat

7.5 MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 19:13 vuln.today

Public exploit code

Patch released

Feb 11, 2026 - 19:13 nvd

Patch available

CVE Published

Feb 04, 2026 - 22:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.

AnalysisAI

jsonwebtoken prior to version 10.3.0 allows attackers to bypass JWT time-based validation checks through type confusion when standard claims like nbf or exp are provided with incorrect JSON types. The library incorrectly treats malformed claims as absent rather than invalid, enabling bypass of critical security restrictions if validation is enabled but the claim is not explicitly marked as required. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft JWT with string-type nbf/exp claim

Delivery

Parser marks claim FailedToParse

Exploit

Validation treats as NotPresent

Execution

Bypass expiration check

Impact

Access protected resource

Access

Craft JWT with string-type nbf/exp claim

Delivery

Parser marks claim FailedToParse

Exploit

Validation treats as NotPresent

Execution

Bypass expiration check

Impact

Access protected resource

Vulnerability AssessmentAI

Exploitation	jsonwebtoken library versions before 10.3.0 with validation enabled (validate_nbf=true or validate_exp=true) but claim not in required_spec_claims. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to bypass critical time-based security restrictions (like “Not Before” checks) and.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications and services using jsonwebtoken library and their current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-25537 vulnerability details – vuln.today

Back

Jsonwebtoken CVE-2026-25537

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code