- What: A type confusion vulnerability exists in the jsonwebtoken Rust library that can lead to authorization bypass.
- Impact: Incorrect JSON types in standard claims can cause the library to misinterpret the claim's state, potentially bypassing validation checks.
- Affected: jsonwebtoken versions prior to 10.3.0.
- Patch: Version 10.3.0 contains a fix for this vulnerability.
- CVE: CVE-2026-25537
Security Advisories CVE-2026-25537 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-25537 Severity Unknown Eliminate CVEs with Chainguard hardened images Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA. Start for free Summary jsonwebtoken has Type Confusion that leads to potential authorization bypass Description jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. References https://nvd.nist.gov/vuln/detail/CVE-2026-25537 https://github.com/advisories/GHSA-h395-gr6q-cpjc https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25537.json https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc Affected packages Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories . The trusted source for open source Talk to an expert © 2025 Chainguard. All Rights Reserved. Privacy Terms Product Chainguard Containers Chainguard Libraries Chainguard VMs Integrations Pricing Solutions FedRAMP PCI DSS CMMC 2.0 Golden Images CVE Remediation Public Sector Customers Customer Stories Chainguard Reviews Resources Events & Webinars Supply Chain Security 101 Chainguard Courses Documentation Trust Center Chainguard Slack Community Company About Us Blog Partners Newsroom Careers Legal