JWKS Cache Poisoning in get-jwks by Nearform
CVE-2025-59936

9.4CRITICAL

Key Information:

Vendor: Nearform
Status: Get-jwks
Vendor: CVE Published:; 27 September 2025

What is CVE-2025-59936?

get-jwks prior to version 11.0.2 contains a vulnerability that affects the JWKS key-fetching process. Specifically, it allows an attacker to exploit the cache mechanism by ensuring that improperly validated keys from untrusted issuers can be reused. The flaw arises when the issuer claim is validated only after the keys are fetched from the cache. A malicious user can manipulate JWTs such that a chosen public key gets stored in the cache, allowing subsequent requests with an altered issuer to pass validation. This security concern has been addressed in version 11.0.2.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

get-jwks < 11.0.2

References

https://github.com/nearform/get-jwks/security/advisories/...

x_refsource_CONFIRM

https://github.com/nearform/get-jwks/commit/1706a177a80a1...

x_refsource_MISC

CVSS V3.0

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 27, 2025
Vulnerability Reserved
Sep 23, 2025

JSON

Nearform

What is CVE-2025-59936?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.0

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.