CVE-2025-30144: Fast-JWT Improperly Validates iss Claims

March 19, 2025 (updated March 20, 2025)

The fast-jwt library does not properly validate the iss claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9.

References

datatracker.ietf.org/doc/html/rfc7519
github.com/advisories/GHSA-gm45-q3v2-6cf8
github.com/nearform/fast-jwt
github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd
github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8
nvd.nist.gov/vuln/detail/CVE-2025-30144

Code Behaviors & Features

Detect and mitigate CVE-2025-30144 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →