EXECUTIVE SUMMARY:
A type confusion vulnerability in the jsonwebtoken Rust crate that can lead to potential authorization bypass in applications using this library. This flaw exists in all affected versions earlier than 10.3.0 of jsonwebtoken and could allow an attacker to bypass intended authorization restrictions under certain conditions. The issue has been assigned CVE-2026-25537 and is rated with a Moderate severity, carrying an overall CVSS score of 5.5. The vulnerability arises from improper handling of specific internal types, causing the library to misinterpret potentially malicious token inputs. Exploitation requires no privileges and no user interaction, and it can be triggered over a network.
RECOMMENDATION:
We strongly recommend you update jsonwebtoken to version 10.3.0.
REFERENCES:
The following reports contain further technical details: