GHSA-vm9r-h74p-hg97
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vm9r-h74p-hg97
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vm9r-h74p-hg97/GHSA-vm9r-h74p-hg97.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vm9r-h74p-hg97
- Aliases
- Published
- 2026-03-31T23:09:16Z
- Modified
- 2026-03-31T23:21:05.456511Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- jose vulnerable to untrusted JWK header key acceptance during signature verification
- Details
-
Impact
A vulnerability in
joseversions up to and including0.3.5could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk).The vulnerability exists because key selection could treat header-provided
jwkas a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key.Applications using affected versions for token verification are impacted.
Patches
Upgrade to
0.3.5+1or later.Workarounds
Reject tokens where header
jwkis present unless thatjwkmatches a key already present in the application's trusted key store.Resources
Fix commit: fix: improved key resolution in JsonWebKeyStore
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-31T23:09:16Z", "severity": "HIGH", "nvd_published_at": "2026-03-31T16:16:33Z", "cwe_ids": [ "CWE-347" ] }- References
Affected packages
Pub / jose
Package
- Name
- jose
- Purl
- pkg:pub/jose
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.5+1