logo

Database

Lack of data validation In jose

Description

jose vulnerable to untrusted JWK header key acceptance during signature verification

Impact

A vulnerability in jose versions up to and including 0.3.5 could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk).

The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key.

Applications using affected versions for token verification are impacted.

Patches

Upgrade to 0.3.5+1 or later.

Workarounds

Reject tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

Resources

Fix commit: fix: improved key resolution in JsonWebKeyStore

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-342402. NVD-2026-342403. OSV-2026-342404. GHSA-vm9r-h74p-hg975. GCVE-2026-34240

References

1. https://github.com/appsup-dart/jose/security/advisories/GHSA-vm9r-h74p-hg972. https://github.com/appsup-dart/jose/commit/b07799aac1f56a9a21483feac026272aab30cc5d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.