CriticalPublic exploit

Formbricks JWT Signature Verification Bypass Account Takeover

IdentifiersCVE-2025-59934CWE-347· Improper Verification of…

CVE-2025-59934 affects Formbricks, an open source survey platform, prior to version 4.0.1. The vulnerability is caused by improper JWT validation: the application decodes tokens using jwt.decode but does not verify the JWT signature. The same flawed validator is used in both the email-verification token login flow and the password-reset server action. As described, the validator also fails to validate other critical claims and properties, including expiration, issuer, and audience. Because of this, an attacker who knows a victim’s valid user.id can forge an arbitrary JWT, including one using an alg:"none" header, and have it accepted as authentic by the application. This can be used to authenticate as the victim and reset the victim’s password, resulting in account takeover. The issue is patched in Formbricks 4.0.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables account takeover of targeted Formbricks users. An attacker can forge authentication or password-reset tokens for a victim, log in as that user, and reset the victim’s password. This provides unauthorized access to the victim account and any data or actions available through that account.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, disable or tightly restrict exposed flows that rely on the vulnerable validator, particularly email-verification token login and password-reset actions. Rotate any secrets associated with authentication workflows as appropriate, monitor for suspicious password resets and anomalous logins, and invalidate outstanding reset or login tokens. Additional compensating controls may include requiring secondary verification for password resets and limiting access to affected endpoints until patched.

Remediation

Patch, then assume compromise.

Upgrade Formbricks to version 4.0.1 or later, which patches the vulnerable token validation logic. Ensure JWT handling performs full cryptographic signature verification and validates relevant claims such as expiration, issuer, and audience. Reject unsigned tokens and disallow insecure algorithm handling such as alg:"none".

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

the hacker newsNews

Oct 6, 2025

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

A critical vulnerability in Formbricks, details not specified in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-59934

NVD

nvd.nist.gov/vuln/detail/CVE-2025-59934

MITRE CWE · CWE-347

Improper Verification of Cryptographic Signature

github.com

github.com/formbricks/formbricks/blob/843110b0d6c37b5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts

github.com

github.com/formbricks/formbricks/commit/eb1349f205189d5b2d4a95ec42245ca98cf68c82

github.com

github.com/formbricks/formbricks/pull/6596

github.com

github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4