CVE-2025-30144: 
JavaScript vulnerability analysis and mitigation

The fast-jwt library contains a vulnerability (CVE-2025-30144) in versions prior to 5.0.6 related to improper validation of the JWT iss (issuer) claim. The vulnerability was disclosed on March 19, 2025. The library incorrectly permits an array of strings as a valid iss value, which deviates from RFC 7519 specifications. This affects applications using the fast-jwt library for JWT validation (GHSA Advisory).

The vulnerability stems from a design flaw in the iss claim validation mechanism. The library accepts an array of strings as a valid iss value, contrary to RFC 7519 specifications which require it to be a single string. This permissive validation allows attackers to craft JWTs with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N (GHSA Advisory).

When exploited, this vulnerability allows attackers to bypass security checks by inserting their own domain into the iss array alongside legitimate issuers. This is particularly dangerous when applications rely on external libraries like get-jwks that don't independently validate the iss claim. The impact is heightened as it allows attackers to forge JWTs that will be accepted by victim applications, potentially leading to unauthorized access and security bypass (GHSA Advisory).

The vulnerability has been fixed in version 5.0.6 of the fast-jwt library. The fix involves modifying the validator to accept only string values for the iss claim, as specified in RFC 7519. Users should upgrade to version 5.0.6 or later to address this vulnerability (GHSA Advisory).