VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-vqka-wrgj-77eg

Essentials
Severities (14)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-vqka-wrgj-77eg
Aliases	CVE-2025-30144 GHSA-gm45-q3v2-6cf8
Summary	fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like get-jwks that do not independently validate the iss claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the iss array, alongside the legitimate issuer, and bypass the intended security checks. This issue is fixed in 5.0.6.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-290	Authentication Bypass by Spoofing
CWE-345	Insufficient Verification of Data Authenticity
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.02126	https://api.first.org/data/v1/epss?cve=CVE-2025-30144
cvssv3.1	6.5	https://datatracker.ietf.org/doc/html/rfc7519#page-9
generic_textual	MODERATE	https://datatracker.ietf.org/doc/html/rfc7519#page-9
ssvc	Track	https://datatracker.ietf.org/doc/html/rfc7519#page-9
cvssv3.1	6.5	https://github.com/nearform/fast-jwt
generic_textual	MODERATE	https://github.com/nearform/fast-jwt
cvssv3.1	6.5	https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd
generic_textual	MODERATE	https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd
ssvc	Track	https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd
cvssv3.1	6.5	https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8
generic_textual	MODERATE	https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8
ssvc	Track	https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2025-30144
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-30144

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-30144
		https://github.com/nearform/fast-jwt
		https://nvd.nist.gov/vuln/detail/CVE-2025-30144
cc26b1d473f900446ad846f8f0b10eb1c0adcbdd		https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd
GHSA-gm45-q3v2-6cf8		https://github.com/advisories/GHSA-gm45-q3v2-6cf8
GHSA-gm45-q3v2-6cf8		https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8
rfc7519#page-9		https://datatracker.ietf.org/doc/html/rfc7519#page-9

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://datatracker.ietf.org/doc/html/rfc7519#page-9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T18:29:09Z/ Found at https://datatracker.ietf.org/doc/html/rfc7519#page-9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/nearform/fast-jwt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T18:29:09Z/ Found at https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T18:29:09Z/ Found at https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-30144

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.84525
EPSS Score	0.02126
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:57:11.961534+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/30xxx/CVE-2025-30144.json	38.6.0