JWKS Cache Poisoning in get-jwks by Nearform
CVE-2025-59936

9.4CRITICAL

Key Information:

Vendor: Nearform
Status: Get-jwks
Vendor: CVE Published:; 27 September 2025

What is CVE-2025-59936?

get-jwks prior to version 11.0.2 contains a vulnerability that affects the JWKS key-fetching process. Specifically, it allows an attacker to exploit the cache mechanism by ensuring that improperly validated keys from untrusted issuers can be reused. The flaw arises when the issuer claim is validated only after the keys are fetched from the cache. A malicious user can manipulate JWTs such that a chosen public key gets stored in the cache, allowing subsequent requests with an altered issuer to pass validation. This security concern has been addressed in version 11.0.2.

Affected Version(s)

get-jwks < 11.0.2

References

https://github.com/nearform/get-jwks/security/advisories/...

x_refsource_CONFIRM

https://github.com/nearform/get-jwks/commit/1706a177a80a1...

x_refsource_MISC

CVSS V3.0

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2025
Vulnerability Reserved
Sep 23, 2025

JSON