CVE-2026-25537

Name of the Vulnerable Software and Affected Versions jsonwebtoken versions prior to 10.3.0

Description A Type Confusion issue exists in jsonwebtoken, specifically within its claim validation logic. When a standard claim, such as 'nbf' or 'exp', is provided with an incorrect JSON type (like a String instead of a Number), the library marks the claim as “FailedToParse”. The validation logic then treats this “FailedToParse” state the same as “NotPresent”. Consequently, if a check is enabled (e.g., validate nbf = true) but the claim is not explicitly listed in required spec claims, the library skips the validation check entirely for the malformed claim, effectively treating it as if it were absent. This allows attackers to bypass critical time-based security restrictions, such as “Not Before” checks, potentially leading to authentication and authorization bypasses. The issue arises from the interaction between the TryParse enum and the validate function. The vulnerability impacts authentication systems and application stability.

Recommendations Update to jsonwebtoken version 10.3.0 or later.