CVE-2025-59934

Name of the Vulnerable Software and Affected Versions Formbricks versions prior to 4.0.1

Description Formbricks, an open source qualtrics alternative, is affected by a missing JWT signature verification issue. The token validation routine only decodes JWTs without verifying their signatures, expiration, issuer, or audience. This impacts the email verification token login path and the password reset server action. An attacker who obtains a victim’s user.id can craft a JWT with an 'alg: "none"' header to authenticate and reset the victim’s password. Approximately 6.3K+ services are found on the internet yearly.

Recommendations Upgrade to version 4.0.1 or later to resolve this issue.