[Pkg-rust-maintainers] Bug#1127319: rust-jsonwebtoken: CVE-2026-25537
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 6 21:42:58 GMT 2026
Source: rust-jsonwebtoken
Version: 9.3.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-jsonwebtoken.
CVE-2026-25537[0]:
| jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is
| a Type Confusion vulnerability in jsonwebtoken, specifically, in its
| claim validation logic. When a standard claim (such as nbf or exp)
| is provided with an incorrect JSON type (Like a String instead of a
| Number), the library’s internal parsing mechanism marks the claim as
| “FailedToParse”. Crucially, the validation logic treats this
| “FailedToParse” state identically to “NotPresent”. This means that
| if a check is enabled (like: validate_nbf = true), but the claim is
| not explicitly marked as required in required_spec_claims, the
| library will skip the validation check entirely for the malformed
| claim, treating it as if it were not there. This allows attackers to
| bypass critical time-based security restrictions (like “Not Before”
| checks) and commit potential authentication and authorization
| bypasses. This issue has been patched in version 10.3.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25537
https://www.cve.org/CVERecord?id=CVE-2026-25537
[1] https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc
[2] https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list