Token Validation Flaw in Formbricks by Formbricks
CVE-2025-59934
Key Information:
- Vendor
Formbricks
- Status
- Vendor
- CVE Published:
- 26 September 2025
Badges
What is CVE-2025-59934?
CVE-2025-59934 is a vulnerability found in Formbricks, an open-source alternative to Qualtrics that is designed for managing surveys and forms. This vulnerability pertains to inadequate token validation due to the absence of JSON Web Token (JWT) signature verification prior to version 4.0.1. Specifically, the flaw arises from a token validation process that only decodes the JWT (using jwt.decode) without verifying its signature, leading to significant security implications. Consequently, both the email verification and password reset functionalities are compromised, allowing an attacker who possesses the victim's user.id to create a malicious JWT. This crafted token could have an "alg: none" header, which would permit unauthorized actions such as authenticating as the victim and resetting their password. The lack of checks for the token's signature, expiration, issuer, or audience can lead to identity theft and unauthorized access to sensitive information or functionalities within the Formsbricks deployment.
Potential impact of CVE-2025-59934
-
Unauthorized Account Access: Attackers can exploit this vulnerability to gain unauthorized access to victim accounts by using crafted JWTs, allowing them to impersonate users effectively.
-
Password Reset Abuse: The vulnerability exposes the password reset mechanism, enabling attackers to reset victims' passwords without their consent, potentially leading to account takeover scenarios.
-
Data Breaches: Successful exploitation can lead to unauthorized access to sensitive data managed within Formbricks, increasing the risk of data breaches that could expose confidential user information or survey results.
Affected Version(s)
formbricks < 4.0.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
8% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
