A crucial safety flaw found in Formbricks, an open-source expertise administration platform, demonstrates how lacking JWT signature verification can result in full account takeovers.
The vulnerability tracked as CVE-2025-59934 impacts all variations previous to 4.0.1 and stems from improper token validation that makes use of jwt.decode() as an alternative of jwt.confirm(), permitting attackers to bypass authentication controls solely.
The vulnerability was disclosed by safety researcher mattinannt and has been labeled as crucial as a result of its potential for unauthorized entry to person accounts.
Formbricks has since launched model 4.0.1 to deal with this safety concern, however organizations operating older variations stay at vital danger.
JWT Validation Vulnerability
The core vulnerability exists within the token validation routine situated in /formbricks/apps/net/lib/jwt.ts.
The problematic code implements a verifyToken perform that solely decodes JWT tokens with out performing important safety checks:
This implementation fails to confirm crucial JWT elements, together with digital signatures, token expiration, issuer validation, and viewers verification.
The perform makes use of jwt.decode() which merely parses the JWT construction with out cryptographic validation, treating any correctly formatted JWT as genuine no matter its legitimacy.
Each the e-mail verification token login path and password reset performance depend on this flawed validator.
When processing password reset requests, the system extracts the person ID from the unverified JWT payload and instantly queries the database to replace the corresponding person’s password.
This bypass mechanism permits attackers who possess a sufferer’s person.id to craft malicious JWTs utilizing the “alg”: “none” algorithm header, successfully creating unsigned tokens that go validation.
The exploit requires minimal stipulations – attackers want solely to find the goal person’s distinctive identifier, which follows Formbricks’ normal format (e.g., cmfuc8pk60000vxfjud7bcl2w).
The assault leverages the “none” algorithm specification in JWT headers, which signifies no signature verification ought to be carried out.
The proof-of-concept demonstrates token forgery utilizing a Python script that constructs a malicious JWT:
The assault sequence follows these steps: the attacker crafts a JWT with header {“alg”: “none”, “typ”: “JWT”} and payload containing the sufferer’s person ID, constructs a password reset URL containing the cast token, and submits the shape with a brand new password.
The server’s verifyToken perform accepts the unsigned token, extracts the person ID, and proceeds with the password replace with out performing signature verification.
Danger FactorsDetailsAffected ProductsFormbricks ImpactElevate privileges and take over a sufferer’s accountExploit PrerequisitesKnow the sufferer’s precise person.id.Craft a malicious JWT with an alg: “none” header. Submit the crafted JWT to the e-mail verification token login path or the password reset server motion. No privileges and no person interplay from the sufferer.CVSS 3.1 Score9.4 (Essential)
This assault vector demonstrates a elementary authentication bypass vulnerability the place the absence of cryptographic validation renders the whole JWT-based safety mannequin ineffective.
The vulnerability impacts password reset performance and e-mail verification processes, probably enabling widespread account compromise throughout Formbricks installations.
Organizations utilizing affected Formbricks variations ought to instantly improve to model 4.0.1 or later and evaluation their authentication logs for suspicious password reset actions.
The repair implements correct JWT signature verification utilizing jwt.confirm() as an alternative of the weak jwt.decode() technique, guaranteeing that solely cryptographically legitimate tokens can authenticate customers and authorize delicate operations like password resets.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
