CVE-2025-59936

Name of the Vulnerable Software and Affected Versions get-jwks versions prior to 11.0.2

Description A flaw exists in the get-jwks library related to its JWKS key-fetching mechanism. When the issuer (iss) claim is validated after keys are retrieved from the cache, cached keys from an unexpected issuer can be reused, bypassing issuer validation. This allows a malicious actor to craft JWTs, first ensuring a chosen public key is cached, and then leveraging that cached key to pass signature validation for a targeted issuer. The vulnerability occurs when issuer validation is performed after using get-jwks to retrieve keys, which is a common configuration. The issue involves the construction of cache keys, which can lead to collisions and allow attackers to control the key used for signature verification.

Recommendations Update to get-jwks version 11.0.2 or later.