JWT Type Confusion Vulnerability in nuts-node auth/v1 introspection endpoint (CVE-2025-41164)

Vulnerability Overview In the access token introspection endpoint, there is a JWT type confusion vulnerability. This endpoint accepts any JWT signed by a key on the node without verifying the JWT type, issuer-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be impersonated as an access token and receive an introspection response with . Affected Versions Affected Versions: - and below - and below Fixed Versions: - - Fix Starting from and , the following checks have been added: 1. iss-to-kid binding: Extract the DID from and verify that it matches the claim. 2. Required claim verification: Reject tokens where is empty. 3. typ header validation: Require the access token type to be . Additionally, the access token creation code has been updated to use to comply with RFC 9068. Exploit Code No specific POC code or exploit code is provided on the page. Additional Information CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Confidentiality: Low - Integrity: Low - Availability: None CVE ID: CVE-2025-41164 Weakness: CWE-345 Credits: - stevenvegt (Vulnerability Developer) - reinikul (Vulnerability Validator) Mitigating Factors is empty: Resource servers that strictly require a non-empty field may reject requests at the application level. is empty: VP-JWTs do not set , so resource servers checking this field will see an empty value. Short-lived VPs: VPs typically expire within minutes, narrowing the attack window. v1 is legacy: The v2 flow uses opaque access tokens and is not affected. Workaround If updating is not possible, resource servers can mitigate this risk by explicitly validating the introspection response: reject responses where is empty, is empty or does not match the expected issuer DID, or does not match the expected requester DID.

Goal Reached Thanks to every supporter — we hit 100%!

JWT Type Confusion Vulnerability in nuts-node auth/v1 introspection endpoint (CVE-2025-41164)

More from this source