Bug 2436945 (CVE-2026-25537) - CVE-2026-25537 jsonwebtoken: jsonwebtoken has Type Confusion that leads to potential authorization bypass
Summary: CVE-2026-25537 jsonwebtoken: jsonwebtoken has Type Confusion that leads to po...
Keywords:
Status: NEW
Alias: CVE-2026-25537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2437460 2437461 2437462 2437463 2437466 2437468 2437471 2437473 2437464 2437465 2437467 2437469 2437470 2437472
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-04 22:01 UTC by OSIDB Bzimport
Modified: 2026-02-06 23:35 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-04 22:01:43 UTC 
jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.
Note You need to log in before you can comment on or make changes to this bug.