CVE-2025-30144

Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 5.0.6

Description The fast-jwt library does not properly validate the iss claim based on the RFC 7519, allowing an array of strings as a valid iss value. This enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as an array containing both malicious and legitimate issuer domains. The permissive validation deems the JWT valid, and if the application relies on external libraries that do not independently validate the iss claim, the attacker can forge a JWT that will be accepted by the victim application.

Recommendations For versions prior to 5.0.6, update to version 5.0.6 to fix the issue. As a temporary workaround, consider validating the iss claim independently in your application to ensure it matches the expected issuer domain, and restrict the use of external libraries that do not perform this validation.