A critical security flaw discovered in Formbricks, an open-source experience management platform, demonstrates how missing JWT signature verification can lead to complete account takeovers.\u00a0<\/p>\n
The vulnerability tracked as CVE-2025-59934 affects all versions prior to 4.0.1 and stems from improper token validation<\/a> that uses jwt.decode() instead of jwt.verify(), allowing attackers to bypass authentication controls entirely.<\/p>\n The vulnerability was disclosed by security researcher mattinannt and has been classified as critical due to its potential for unauthorized access to user accounts.\u00a0<\/p>\n Formbricks has since released version 4.0.1 to address this security issue, but organizations running older versions remain at significant risk.<\/p>\n The core vulnerability exists in the token validation routine located in \/formbricks\/apps\/web\/lib\/jwt.ts.\u00a0<\/p>\n The problematic code implements a verifyToken function that only decodes JWT tokens without performing essential security checks:<\/p>\n This implementation fails to verify critical JWT components, including digital signatures, token expiration, issuer validation, and audience verification.\u00a0<\/p>\n The function uses jwt.decode() which simply parses the JWT structure without cryptographic validation, treating any properly formatted JWT as authentic regardless of its legitimacy.<\/p>\n Both the email verification token login path and password reset functionality rely on this flawed validator.\u00a0<\/p>\n When processing password reset requests, the system extracts the user ID from the unverified JWT payload and directly queries the database to update the corresponding user\u2019s password.\u00a0<\/p>\n This bypass mechanism allows attackers who possess a victim\u2019s user.id to craft malicious JWTs using the \u201calg\u201d: \u201cnone\u201d algorithm header, effectively creating unsigned tokens that pass validation.<\/p>\n The exploit requires minimal prerequisites \u2013 attackers need only to discover the target user\u2019s unique identifier, which follows Formbricks\u2019 standard format (e.g., cmfuc8pk60000vxfjud7bcl2w).\u00a0<\/p>\n The attack leverages the \u201cnone\u201d algorithm specification in JWT headers, which indicates no signature verification should be performed.<\/p>\n The proof-of-concept demonstrates<\/a> token forgery using a Python script that constructs a malicious JWT:<\/p>\n The attack sequence follows these steps: the attacker crafts a JWT with header {\u201calg\u201d: \u201cnone\u201d, \u201ctyp\u201d: \u201cJWT\u201d} and payload containing the victim\u2019s user ID, constructs a password reset URL containing the forged token, and submits the form with a new password.\u00a0<\/p>\n The server\u2019s verifyToken function accepts the unsigned token, extracts the user ID, and proceeds with the password update without performing signature verification.<\/p>\nJWT Validation Vulnerability<\/strong><\/h2>\n
![\"Formbricks](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-180.png?resize=715%2C117&ssl=1\")
<\/figure>\n<\/div>\n![\"Formbricks](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-181.png?resize=741%2C367&ssl=1\")
<\/figure>\n<\/div>\n