CVE-2025-59934

26.09.2025, 23:15

Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the tokens signature, expiration, issuer, or audience. If an attacker learns the victims actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victims password. This issue has been patched in version 4.0.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
GitHub_M	CNA	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/formbricks/formbricks/blob/843110b0d6c37b5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts#L114-L117

https://github.com/formbricks/formbricks/commit/eb1349f205189d5b2d4a95ec42245ca98cf68c82

https://github.com/formbricks/formbricks/pull/6596

https://github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4