#VU122823 Type confusion in jsonwebtoken - CVE-2026-25537
Published: February 13, 2026
Vulnerability identifier: #VU122823
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-25537
CWE-ID: CWE-843
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
jsonwebtoken
jsonwebtoken
Software vendor:
Vincent Prouillet
Vincent Prouillet
Description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a type confusion error when parsing standard claims in an incorrect format. If a claim is provided with an incorrect JSON type, the application's internal parsing mechanism marks the claim as "FailedToParse" and the validation logic treats this state identically to "NotPresent". If this check is enabled, e.g. "validate_nbf = true" but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim. A remote attacker can bypass authorization checks and gain unauthorized access to the application.
Remediation
Install updates from vendor's website.