A significant security flaw has been identified in Formbricks, an open-source experience management platform, which could enable attackers to reset user passwords without proper authorization. This vulnerability, designated as CVE-2025-59934, affects all versions of Formbricks prior to 4.0.1 and arises from inadequate JSON Web Token (JWT) signature verification.
Understanding the Vulnerability
JWTs are widely used for securely transmitting information between parties as a JSON object. They are typically signed to ensure the integrity and authenticity of the data. In Formbricks, the function responsible for validating these tokens, located in `/formbricks/apps/web/lib/jwt.ts`, utilizes `jwt.decode()` instead of `jwt.verify()`. This approach decodes the token without verifying its signature, allowing any properly formatted JWT to be accepted as valid, regardless of its authenticity.
This flaw impacts critical functionalities such as email verification and password reset processes. An attacker with knowledge of a user’s unique identifier (user.id) can craft a malicious JWT with the algorithm set to none, effectively creating an unsigned token. By submitting this token through the password reset mechanism, the attacker can reset the user’s password and gain unauthorized access to their account.
Exploitation Process
The exploitation of this vulnerability involves the following steps:
1. Obtain User Identifier: The attacker identifies the target user’s unique identifier, which follows a standard format in Formbricks (e.g., cmfuc8pk60000vxfjud7bcl2w).
2. Craft Malicious JWT: Using the obtained user.id, the attacker creates a JWT with the header specifying the algorithm as none and includes the user.id in the payload.
3. Submit Forged Token: The attacker constructs a password reset URL containing the forged token and submits a new password through the reset form.
Due to the lack of signature verification, the server accepts the unsigned token, extracts the user.id, and proceeds to update the password, granting the attacker control over the account.
Risk Assessment
The severity of this vulnerability is underscored by its CVSS 3.1 score of 9.4, categorizing it as critical. The primary risk factors include:
– Affected Products: All Formbricks versions prior to 4.0.1.
– Impact: Potential for attackers to elevate privileges and take over user accounts.
– Exploit Prerequisites: Knowledge of the victim’s user.id; no existing privileges or user interaction required.
Mitigation Measures
To address this security issue, Formbricks has released version 4.0.1, which implements proper JWT signature verification. Organizations using affected versions should:
1. Upgrade Immediately: Update to Formbricks version 4.0.1 or later to patch the vulnerability.
2. Review Logs: Examine authentication logs for any unusual password reset activities that may indicate exploitation attempts.
3. Enhance Security Practices: Ensure that all token validation processes include comprehensive checks, such as signature verification, token expiration, issuer validation, and audience verification.
Conclusion
The discovery of CVE-2025-59934 highlights the critical importance of robust token validation mechanisms in web applications. By failing to verify JWT signatures, Formbricks inadvertently exposed its users to potential account takeovers. Prompt action to update affected systems and reinforce authentication protocols is essential to maintain the security and integrity of user accounts.
