Design Flaw in JSON Web Token Implementation in Fast-JWT by NearForm
CVE-2025-30144

6.5MEDIUM

Key Information:

Vendor: Nearform
Status: Fast-jwt
Vendor: CVE Published:; 19 March 2025

What is CVE-2025-30144?

The fast-jwt library, a lightweight implementation of JSON Web Tokens, contains a critical design flaw that improperly validates the 'iss' (issuer) claim according to the standards set by RFC 7519. Before version 5.0.6, the library erroneously accepted an array of strings as a valid issuer value. This flaw allows attackers to construct a malicious JWT with a crafted 'iss' array that includes both a valid issuer and their own domain. If applications relying on fast-jwt also use external libraries that do not validate the 'iss' claim independently, the attacker could successfully forge a JWT that appears legitimate, subsequently granting unauthorized access to sensitive functionalities or data within the application. This vulnerability poses severe risks, especially if exploited by targeting applications that incorrectly trust JWTs.

Affected Version(s)

fast-jwt < 5.0.6

References

https://github.com/nearform/fast-jwt/security/advisories/...

x_refsource_CONFIRM

https://github.com/nearform/fast-jwt/commit/cc26b1d473f90...

x_refsource_MISC

https://datatracker.ietf.org/doc/html/rfc7519#page-9

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2025
Vulnerability Reserved
Mar 17, 2025

Nearform

What is CVE-2025-30144?

Affected Version(s)

References

CVSS V3.1

Timeline