CVE-2025-24976

Name of the Vulnerable Software and Affected Versions: Distribution versions 3.0.0-beta.1 through 3.0.0-rc.2

Description: The issue lies in how the JSON web key (JWK) verification is performed. When a JSON web token (JWT) contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches. This allows an attacker to inject an untrusted signing key in a JWT.

Recommendations: For versions 3.0.0-beta.1 through 3.0.0-rc.2, update to version 3.0.0-rc.3 or later, which includes the fix for the issue, available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd. As a temporary workaround, consider disabling token authentication until a patch is available.