CVE-2025-59936
CVE-2025-59936
Weakness (CWE)
CVSS Vector
v3.0- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted iss value. The vulnerability will work only if the iss validation is done after the use of get-jwks for keys retrieval. This issue has been patched in version 11.0.2.
Comprehensive Technical Analysis of CVE-2025-59936
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2025-59936 CVSS Score: 9.4
The vulnerability in get-jwks prior to version 11.0.2 involves a cache poisoning issue in the JWKS (JSON Web Key Set) key-fetching mechanism. This design flaw allows for the bypass of issuer (iss) validation, potentially leading to unauthorized access or data manipulation. The high CVSS score of 9.4 indicates a critical vulnerability due to its potential for significant impact and ease of exploitation.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Cache Poisoning: An attacker can manipulate the JWKS cache by crafting a pair of JWTs (JSON Web Tokens). The first JWT ensures that a chosen public key is fetched and stored in the shared JWKS cache. The second JWT leverages the cached key to pass signature validation for a targeted issuer value.
- Issuer Validation Bypass: The vulnerability is exploitable if the issuer validation is performed after the keys are retrieved from the cache. This allows the attacker to bypass the issuer validation mechanism.
Exploitation Methods:
- Crafting Malicious JWTs: The attacker crafts two JWTs. The first JWT is designed to ensure that a specific public key is fetched and stored in the JWKS cache. The second JWT uses this cached key to pass signature validation, effectively bypassing the issuer validation.
- Network Interception: The attacker may intercept network traffic to inject the malicious JWTs, ensuring that the targeted system fetches and caches the compromised keys.
3. Affected Systems and Software Versions
Affected Software:
get-jwksversions prior to 11.0.2
Affected Systems:
- Any system or application that uses
get-jwksfor JWKS key-fetching and relies on the issuer validation mechanism. This includes but is not limited to:- Authentication and authorization systems
- API gateways
- Single Sign-On (SSO) solutions
- OAuth2 and OpenID Connect implementations
4. Recommended Mitigation Strategies
Immediate Actions:
- Upgrade to Version 11.0.2: Ensure that all instances of
get-jwksare upgraded to version 11.0.2 or later, which includes the patch for this vulnerability. - Clear JWKS Cache: Clear the JWKS cache to remove any potentially compromised keys.
Long-Term Mitigations:
- Implement Strict Issuer Validation: Ensure that issuer validation is performed before keys are retrieved from the cache.
- Regular Security Audits: Conduct regular security audits and code reviews to identify and mitigate similar design flaws.
- Monitor for Suspicious Activity: Implement monitoring and logging to detect any suspicious activity related to JWT processing and key-fetching.
5. Impact on Cybersecurity Landscape
The discovery and exploitation of this vulnerability highlight the importance of secure design and implementation of JWT and JWKS mechanisms. The potential for cache poisoning and issuer validation bypass underscores the need for robust security practices in authentication and authorization systems. This vulnerability serves as a reminder for organizations to regularly update and patch their software dependencies and to conduct thorough security assessments.
6. Technical Details for Security Professionals
Vulnerability Details:
- Root Cause: The vulnerability arises from the order of operations in the
get-jwkslibrary. Specifically, the issuer validation is performed after the keys are retrieved from the cache, allowing for the reuse of cached keys from an unexpected issuer. - Exploitation Steps:
- The attacker crafts a JWT with a chosen public key and ensures it is fetched and stored in the JWKS cache.
- The attacker then crafts a second JWT using the cached key to pass signature validation for a targeted issuer value.
- The targeted system, relying on the compromised cached key, bypasses the issuer validation, leading to unauthorized access or data manipulation.
Detection and Response:
- Log Analysis: Analyze logs for unusual patterns in JWT processing and key-fetching activities.
- Intrusion Detection Systems (IDS): Implement IDS rules to detect and alert on suspicious JWT and JWKS activities.
- Incident Response Plan: Develop and maintain an incident response plan specifically for JWT-related vulnerabilities, including steps for cache clearing and key rotation.
Conclusion:
CVE-2025-59936 represents a critical vulnerability in the get-jwks library that can lead to cache poisoning and issuer validation bypass. Organizations must prioritize upgrading to the patched version and implementing robust security measures to mitigate the risk. Regular security assessments and proactive monitoring are essential to safeguard against similar vulnerabilities in the future.