Vulnerabilities CVE-2026-25537 Detail Description jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. Metrics NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed. CVSS 4.0 Severity and Vector Strings: NIST: NVD N/A NVD assessment not yet provided. CNA: GitHub, Inc. CVSS-BT 5.5 MEDIUM Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS 3.x Severity and Vector Strings: NIST: NVD Base Score: 7.5 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS 2.0 Severity and Vector Strings: NIST: NVD Base Score: N/A NVD assessment not yet provided. References to Advisories, Solutions, and Tools By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected] . URL Source(s) Tag(s) https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 GitHub, Inc. Patch https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc CISA-ADP, GitHub, Inc. Exploit Vendor Advisory Weakness Enumeration CWE-ID CWE Name Source CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') GitHub, Inc. Known Affected Software Configurations Switch to CPE 2.2 CPEs loading, please wait. Change History 3 change records found show changes Initial Analysis by NIST 2/11/2026 2:13:47 PM Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Added CPE Configuration OR *cpe:2.3:a:keats:jsonwebtoken:*:*:*:*:*:rust:*:* versions up to (excluding) 10.3.0 Added Reference Type CISA-ADP: https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Types: Exploit, Vendor Advisory Added Reference Type GitHub, Inc.: https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Types: Exploit, Vendor Advisory CVE Modified by CISA-ADP 2/05/2026 4:15:53 PM Action Type Old Value New Value Added Reference https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc New CVE Received from GitHub, Inc. 2/04/2026 5:15:59 PM Action Type Old Value New Value Added Description jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-843 Added Reference https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 Added Reference https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Quick Info CVE Di