CVE-2025-59936

NONE EPSS 29.1%
Published Sep 27, 20259mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Sep 27, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted iss value. The vulnerability will work only if the iss validation is done after the use of get-jwks for keys retrieval. This issue has been patched in version 11.0.2.

Threat Intelligence

EPSS Exploit Probability
29.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-116

References 2

  • github.com https://github.com/nearform/get-jwks/commit/1706a177a80a1759fe68e3339dc5a219ce03ddb9
  • github.com https://github.com/nearform/get-jwks/security/advisories/GHSA-qc2q-qhf3-235m

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.