Home

Description

Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the token’s signature, expiration, issuer, or audience. If an attacker learns the victim’s actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victim’s password. This issue has been patched in version 4.0.1.

PUBLISHED Reserved 2025-09-23 | Published 2025-09-26 | Updated 2025-09-29 | Assigner GitHub_M




CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-347: Improper Verification of Cryptographic Signature

CWE-345: Insufficient Verification of Data Authenticity

CWE-287: Improper Authentication

Product status

< 4.0.1
affected

References

github.com/...bricks/security/advisories/GHSA-7229-q9pv-j6p4

github.com/formbricks/formbricks/pull/6596

github.com/...ommit/eb1349f205189d5b2d4a95ec42245ca98cf68c82

github.com/...5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts

cve.org (CVE-2025-59934)

nvd.nist.gov (CVE-2025-59934)

Download JSON