Type confusion in jsonwebtoken - CVE-2026-25537
Published: February 13, 2026
Vulnerability identifier: #VU122823
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-25537
CWE-ID: CWE-843
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vincent Prouillet
Affected software:
jsonwebtoken
jsonwebtoken
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a type confusion error when parsing standard claims in an incorrect format. If a claim is provided with an incorrect JSON type, the application's internal parsing mechanism marks the claim as "FailedToParse" and the validation logic treats this state identically to "NotPresent". If this check is enabled, e.g. "validate_nbf = true" but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim. A remote attacker can bypass authorization checks and gain unauthorized access to the application.
How to mitigate CVE-2026-25537
Install updates from vendor's website.