JWT-Related CVEs
Common Vulnerabilities and Exposures (CVEs) related to JWT implementations, libraries, and frameworks. Understanding these real-world vulnerabilities helps developers build more secure applications.
⚠️ Important: This page documents real CVEs that have been discovered in JWT-related software. Always keep your dependencies updated and follow security best practices.
1. CVE-2022-23529
Remote Code Execution in jsonwebtoken Library
📋 Description
A high-severity vulnerability in the `jsonwebtoken` open-source package allows attackers to execute remote code on servers that verify maliciously crafted JWT requests. This vulnerability can be exploited by crafting JWTs with specific payloads that trigger code execution during token verification.
🔧 Affected Versions
jsonwebtoken versions before 9.0.0💥 Impact
Attackers can achieve remote code execution on servers processing malicious JWTs, potentially leading to complete server compromise, data exfiltration, and unauthorized access.
🛡️ Mitigation
Upgrade to jsonwebtoken version 9.0.0 or later. Always validate and sanitize JWT payloads before processing. Use the latest version of the library and review your JWT verification logic.
2. CVE-2025-53864
Denial of Service in Connect2id Nimbus JOSE+JWT
📋 Description
Connect2id Nimbus JOSE+JWT versions before 10.0.2 are susceptible to denial-of-service attacks via deeply nested JSON objects in JWT claim sets, leading to uncontrolled recursion and stack overflow.
🔧 Affected Versions
Connect2id Nimbus JOSE+JWT before version 10.0.2💥 Impact
Attackers can craft JWTs with deeply nested JSON structures that cause stack overflow, leading to application crashes and denial of service. This can make services unavailable to legitimate users.
🛡️ Mitigation
Upgrade to Connect2id Nimbus JOSE+JWT version 10.0.2 or later. Implement depth limits for JSON parsing and validate JWT structure before processing.
3. CVE-2025-4643
JWT Not Invalidated on Logout in Payload CMS
📋 Description
Payload CMS versions before 3.44.0 fail to invalidate JWTs upon user logout, allowing intercepted tokens to remain valid until their natural expiration, posing a security risk.
🔧 Affected Versions
Payload CMS before version 3.44.0💥 Impact
If a JWT token is intercepted or stolen, it remains valid even after the user logs out. Attackers can use stolen tokens to access user accounts until the token naturally expires, which could be hours or days.
🛡️ Mitigation
Upgrade to Payload CMS version 3.44.0 or later. Implement token blacklisting or use refresh tokens with shorter expiration times. Consider implementing token revocation mechanisms.
4. CVE-2025-2559
Unbounded Cache Growth in Keycloak JWT Authentication
📋 Description
Keycloak's JWT token authentication mechanism caches tokens until expiration without size limitations, potentially leading to an OutOfMemoryError when tokens have long expiration times.
🔧 Affected Versions
Keycloak versions with JWT token caching (multiple versions affected)💥 Impact
When JWT tokens have very long expiration times, the cache can grow unbounded, consuming all available memory and causing OutOfMemoryError, leading to service unavailability.
🛡️ Mitigation
Implement cache size limits and eviction policies. Use shorter token expiration times. Monitor memory usage and implement alerts for cache growth. Consider using external caching solutions with size limits.
5. CVE-2022-25898
Improper Signature Verification in jsrsasign
📋 Description
The jsrsasign package versions before 10.5.25 improperly verify cryptographic signatures in JWS and JWT, allowing non-Base64URL encoded characters to be incorrectly validated as valid signatures.
🔧 Affected Versions
jsrsasign package before version 10.5.25💥 Impact
Attackers can craft JWTs with invalid signatures that are incorrectly accepted as valid, allowing them to forge tokens and gain unauthorized access to protected resources.
🛡️ Mitigation
Upgrade to jsrsasign version 10.5.25 or later. Always validate that signatures are properly Base64URL encoded before verification. Implement strict signature validation checks.
6. CVE-2019-17195
Uncaught Exceptions in Connect2id Nimbus JOSE+JWT Parsing
📋 Description
Connect2id Nimbus JOSE+JWT versions before 7.9 can throw uncaught exceptions while parsing a JWT, potentially resulting in application crashes or authentication bypasses.
🔧 Affected Versions
Connect2id Nimbus JOSE+JWT before version 7.9💥 Impact
Malformed JWTs can cause uncaught exceptions that crash the application or bypass authentication mechanisms, leading to denial of service or unauthorized access.
🛡️ Mitigation
Upgrade to Connect2id Nimbus JOSE+JWT version 7.9 or later. Implement proper exception handling around JWT parsing operations. Validate JWT structure before parsing.
📚 References
7. CVE-2025-62610
Missing Audience Claim Validation in Hono JWT Auth
📋 Description
Hono's JWT Auth Middleware versions 1.1.0 to before 4.10.2 do not validate the 'aud' (Audience) claim by default, potentially allowing tokens intended for different audiences to be accepted.
🔧 Affected Versions
Hono JWT Auth Middleware versions 1.1.0 to before 4.10.2💥 Impact
Tokens intended for one service can be used to access another service, leading to cross-service access violations and potential privilege escalation.
🛡️ Mitigation
Upgrade to Hono JWT Auth Middleware version 4.10.2 or later. Always validate the 'aud' claim to ensure tokens are intended for your service. Implement audience validation in your JWT verification logic.
8. CVE-2020-15222
Token Reuse via Missing JTI Uniqueness Check in ORY Fosite
📋 Description
ORY Fosite versions before 0.31.0 do not check the uniqueness of the 'jti' (JWT ID) value in the 'privatekeyjwt' authentication method, allowing potential token reuse.
🔧 Affected Versions
ORY Fosite before version 0.31.0💥 Impact
Attackers can reuse the same JWT token multiple times, potentially bypassing one-time-use restrictions and gaining unauthorized access or performing replay attacks.
🛡️ Mitigation
Upgrade to ORY Fosite version 0.31.0 or later. Implement JTI uniqueness checking in your token validation logic. Use token blacklisting or store used JTIs to prevent reuse.
9. CVE-2022-22311
JWT Token Validation Weakness in IBM Security Verify Access
📋 Description
IBM Security Verify Access has a JWT token validation weakness due to improper input validation, potentially allowing unauthorized access.
🔧 Affected Versions
Multiple IBM Security Verify Access versions💥 Impact
Improper input validation in JWT token processing can allow attackers to bypass authentication or authorization checks, leading to unauthorized access to protected resources.
🛡️ Mitigation
Apply the latest security patches from IBM. Review and strengthen JWT validation logic. Implement comprehensive input validation for all JWT claims and header parameters.
📚 References
10. CVE-2021-3127
Incorrect Access Control in NATS Server JWT Library
📋 Description
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 mishandle Import Token bindings, leading to incorrect access control and potential unauthorized access.
🔧 Affected Versions
NATS Server 2.x before 2.2.0, JWT library before 2.0.1💥 Impact
Improper handling of Import Token bindings can lead to incorrect access control decisions, allowing users to access resources or perform actions beyond their intended permissions.
🛡️ Mitigation
Upgrade to NATS Server 2.2.0 or later and JWT library 2.0.1 or later. Review Import Token binding configurations. Implement proper access control validation.
11. CVE-2024-54150
Algorithm Confusion Attack in cjwt Library
📋 Description
An algorithm confusion attack in the `cjwt` library, where changing the algorithm from RS256 to HS256 could allow attackers to manipulate JWTs by using the public key as a secret.
🔧 Affected Versions
cjwt library versions before the fix💥 Impact
Attackers can forge JWT tokens by changing the algorithm from RS256 (asymmetric) to HS256 (symmetric) and using the public key as the secret, allowing them to create valid tokens without the private key.
🛡️ Mitigation
Upgrade to the latest version of cjwt library. Always explicitly specify and validate the expected algorithm during JWT verification. Never allow algorithm switching or accept multiple algorithms without proper validation.
📚 References
🔍 How to Stay Protected
- ✓Keep Dependencies Updated: Regularly update your JWT libraries and frameworks to the latest secure versions.
- ✓Monitor Security Advisories: Subscribe to security feeds for libraries you use (GitHub Security Advisories, NVD, etc.).
- ✓Use Dependency Scanning: Integrate tools like Dependabot, Snyk, or npm audit to automatically detect vulnerable dependencies.
- ✓Follow Security Best Practices: Implement proper JWT validation, use strong algorithms, validate all claims, and implement token revocation.
- ✓Security Testing: Regularly test your JWT implementation for vulnerabilities and conduct security audits.
📖 Related Learning Resources
Tenable - Vulnerability Management (10% Discount)
10% OFFGet 10% off Tenable vulnerability scanning and management solutions. Identify and remediate security vulnerabilities in your infrastructure.
Affiliate Link
Tenable One - Unified Exposure Management Platform
PlatformThe world's leading AI-powered exposure management platform. Gain visibility across your entire attack surface, prioritize risks, and close exposure gaps across cloud, vulnerability, AI, OT/IoT, and identity domains.
Affiliate Link