CVE-2025-59936: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59936 affects get-jwks versions prior to 11.0.2, where a vulnerability in the JWKS key-fetching mechanism can lead to cache poisoning. The vulnerability was discovered and disclosed on September 26, 2025, impacting applications that use get-jwks for JWT validation (GitHub Advisory).

The vulnerability occurs when the iss (issuer) claim is validated only after keys are retrieved from the cache. This design flaw allows cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. The attack involves crafting two JWTs: the first ensures a chosen public key is stored in the shared JWKS cache, while the second leverages that cached key to pass signature validation for a targeted iss value. The vulnerability has received a CVSS v3.0 base score of 9.4 (Critical) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L (GitHub Advisory).

Applications relying on get-jwks for key retrieval, even with iss validation post-fetching, are vulnerable to attackers signing arbitrary payloads that will be accepted by the verifiers. This can lead to authentication bypass and potential unauthorized access to protected resources (GitHub Advisory).

The vulnerability has been patched in version 11.0.2 by implementing proper escaping of components used in the cache key to prevent delimiter collisions. Users should upgrade to this version or later to address the vulnerability (GitHub Advisory, GitHub Commit).