Source: rust-jsonwebtoken Version: 9.3.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-jsonwebtoken. CVE-2026-25537[0]: | jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is | a Type Confusion vulnerability in jsonwebtoken, specifically, in its | claim validation logic. When a standard claim (such as nbf or exp) | is provided with an incorrect JSON type (Like a String instead of a | Number), the library’s internal parsing mechanism marks the claim as | “FailedToParse”. Crucially, the validation logic treats this | “FailedToParse” state identically to “NotPresent”. This means that | if a check is enabled (like: validate_nbf = true), but the claim is | not explicitly marked as required in required_spec_claims, the | library will skip the validation check entirely for the malformed | claim, treating it as if it were not there. This allows attackers to | bypass critical time-based security restrictions (like “Not Before” | checks) and commit potential authentication and authorization | bypasses. This issue has been patched in version 10.3.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25537 https://www.cve.org/CVERecord?id=CVE-2026-25537 [1] https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc [2] https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
