CVE-2025-59936 is a critical vulnerability affecting versions of the nearform 'get-jwks' library prior to 11.0.2. The 'get-jwks' library is used to fetch JSON Web Key Sets (JWKS) for JWT signature verification. The vulnerability arises from a design flaw in the caching mechanism of JWKS keys. Specifically, the library caches keys fetched from issuers but performs issuer (iss) claim validation only after retrieving keys from the cache. This sequence allows an attacker to perform cache poisoning by first injecting a malicious public key into the shared JWKS cache associated with one issuer, and then leveraging that cached key to validate a JWT from a different, targeted issuer. This bypasses the intended issuer validation, enabling signature validation to succeed with a key that should not be trusted for that issuer. The attack requires no authentication or user interaction and can be executed remotely over the network, making exploitation relatively straightforward. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output), indicating issues with how output data is handled, which in this context relates to the improper handling of cached keys and issuer validation order. The flaw has been addressed in version 11.0.2 of 'get-jwks'. The CVSS v3.0 base score is 9.4 (critical), reflecting high impact on confidentiality and integrity with low attack complexity and no privileges or user interaction required. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a high-risk vulnerability for any systems relying on vulnerable versions of 'get-jwks' for JWT validation.

For European organizations, this vulnerability poses a significant risk to the integrity and confidentiality of authentication and authorization processes that rely on JWTs validated using the 'get-jwks' library. Many modern web applications, APIs, and microservices use JWTs for stateless authentication and authorization, often fetching public keys dynamically from trusted issuers via JWKS endpoints. Exploitation of this vulnerability could allow attackers to impersonate legitimate users or services by forging JWTs that pass signature validation despite originating from untrusted issuers. This could lead to unauthorized access to sensitive data, privilege escalation, and potential lateral movement within networks. Given the critical nature of JWTs in identity and access management, the impact extends to compliance risks under GDPR and other data protection regulations if personal or sensitive data is exposed or manipulated. Additionally, organizations in sectors such as finance, healthcare, and government, which heavily rely on secure token validation, could face operational disruptions and reputational damage. The vulnerability's network-exploitable nature means that exposed APIs or services using vulnerable 'get-jwks' versions are at immediate risk, especially if they do not implement additional issuer validation safeguards outside the library.

European organizations should urgently upgrade all instances of the 'get-jwks' library to version 11.0.2 or later, where the vulnerability is patched. Beyond upgrading, organizations should audit their JWT validation workflows to ensure that issuer (iss) claim validation occurs before or during key retrieval, not after, to prevent cache poisoning attacks. Implementing strict validation logic that tightly couples keys to their issuers and avoids shared caches across different issuers can mitigate risks. Additionally, organizations should consider deploying runtime monitoring and anomaly detection on JWT validation failures or unusual token usage patterns. Employing defense-in-depth by validating tokens at multiple layers, including API gateways and identity providers, can reduce exposure. Regularly reviewing and updating dependencies, combined with automated vulnerability scanning in CI/CD pipelines, will help prevent similar issues. Finally, organizations should review their incident response plans to quickly address any detected misuse of JWTs and notify affected stakeholders as required by GDPR and other regulations.