Skip to content

security: upgrade jsonwebtoken 9→10.3 (CVE-2026-25537)#86

Merged
Enreign merged 1 commit intomainfrom
fix/jsonwebtoken-10.3
Mar 19, 2026
Merged

security: upgrade jsonwebtoken 9→10.3 (CVE-2026-25537)#86
Enreign merged 1 commit intomainfrom
fix/jsonwebtoken-10.3

Conversation

@Enreign
Copy link
Copy Markdown
Collaborator

@Enreign Enreign commented Mar 19, 2026

Summary

  • Upgrades jsonwebtoken from 9.3.110.3.0 to fix GHSA-h395-gr6q-cpjc (CVE-2026-25537)
  • The vulnerability allowed type confusion in nbf/exp claim validation where FailedToParse was treated as NotPresent, enabling bypass of time-based JWT checks
  • No API changes required in src/teams.rs — the used APIs (decode_header, Algorithm, DecodingKey, Validation, decode) are stable across v9→v10

Test plan

  • cargo check --features teams passes cleanly
  • cargo test --features teams — all 477 tests pass
  • Cargo.lock resolves to jsonwebtoken 10.3.0
  • CI green

Closes Dependabot alert #1.

🤖 Generated with Claude Code

@Enreign @claude
security: upgrade jsonwebtoken 9→10.3 to fix CVE-2026-25537
6a289bd 
GHSA-h395-gr6q-cpjc: Type confusion in nbf/exp claim validation —
FailedToParse was treated as NotPresent, allowing bypass of time-based
checks. Fixed in jsonwebtoken 10.3.0.

The Teams integration (src/teams.rs) uses only stable APIs
(decode_header, Algorithm, DecodingKey, Validation, decode) that are
fully compatible across the v9→v10 boundary; no code changes required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Enreign Enreign merged commit 43d5c12 into main Mar 19, 2026
5 checks passed
@Enreign Enreign deleted the fix/jsonwebtoken-10.3 branch March 19, 2026 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Enreign