Platform
nodejs
Component
formbricks
Fixed in
4.0.2
CVE-2025-59934 affects Formbricks versions prior to 4.0.1. This vulnerability involves a critical flaw in JWT signature verification, allowing attackers to potentially gain unauthorized access and control user accounts. The issue stems from the lack of signature validation within the token decoding process, impacting both email verification and password reset functionalities. A fix is available in version 4.0.1.
The impact of CVE-2025-59934 is significant. An attacker who can obtain a victim's user ID can craft a malicious JWT with an 'alg: "none"' header, effectively bypassing authentication. This allows the attacker to impersonate the victim, gain full access to their Formbricks account, and potentially reset their password. This could lead to data breaches, unauthorized modifications to forms, and complete compromise of the affected user's data. The lack of signature verification means any crafted JWT will be accepted, making exploitation relatively straightforward. This vulnerability shares similarities with other JWT bypass attacks where signature validation is overlooked.
CVE-2025-59934 was publicly disclosed on 2025-09-26. The vulnerability's severity is high due to the ease of exploitation and the potential impact. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability is well-understood, and a PoC is likely to emerge. The EPSS score is likely to be medium to high, reflecting the potential for widespread exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59934 is to immediately upgrade Formbricks to version 4.0.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct workaround is difficult without modifying the core Formbricks code, implementing strict rate limiting on login and password reset endpoints can help mitigate the risk of automated attacks. Monitor logs for unusual JWT activity, specifically looking for tokens with 'alg: none'. After upgrading, confirm the fix by attempting to craft a JWT with 'alg: none' and verifying that it is rejected by the authentication system.
Actualice Formbricks a la versión 4.0.1 o superior. Esta versión corrige la vulnerabilidad de verificación de firma JWT. La actualización se puede realizar a través del gestor de paquetes utilizado en su proyecto (npm, yarn, etc.).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59934 is a CRITICAL vulnerability in Formbricks versions ≤ 4.0.1 where JWT signature verification is missing, allowing attackers to forge tokens and bypass authentication.
If you are running Formbricks version 4.0.1 or earlier, you are potentially affected by this vulnerability. Check your version immediately.
Upgrade Formbricks to version 4.0.1 or later to resolve this vulnerability. Implement rate limiting as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been confirmed publicly, the vulnerability is well-understood and a PoC is likely to emerge, making proactive mitigation essential.
Refer to the official Formbricks security advisory for detailed information and updates: [https://formbricks.com/security/advisories](https://formbricks.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.