CVE-2025-59934
Formbricks missing JWT signature verification
In short
Formbricks doesn't verify that login and password reset tokens are legitimate, allowing attackers to forge fake tokens and take over accounts if they know a user's ID. This is a critical flaw because these tokens are the main security barrier protecting accounts.
Technical detail
Formbricks' JWT validation routine performs decoding without signature verification, allowing attackers to craft tokens with alg: "none" and bypass authentication controls. The vulnerability affects both email verification login and password reset endpoints; exploitation requires knowledge of the target user.id and results in account takeover via unauthorized password reset or session hijacking.
Summary generated and translated by AI from the official description.
Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the token’s signature, expiration, issuer, or audience. If an attacker learns the victim’s actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victim’s password. This issue has been patched in version 4.0.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected products
formbricks · formbricksWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/formbricks/formbricks/blob/843110b0d6c37b5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts#L114-L117https://github.com/formbricks/formbricks/commit/eb1349f205189d5b2d4a95ec42245ca98cf68c82https://github.com/formbricks/formbricks/pull/6596https://github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4