A critical vulnerability in the open source Formbricks experience management toolbox allows attackers to reset any user’s password without authorization.
Published three days ago as advisory GHSA-7229-q9pv-j6p4 by maintainer mattinannt, the flaw stems from missing JWT signature verification in Formbricks versions before 4.0.1.
If an attacker learns a valid user’s internal identifier, they can forge a token and force a password reset, posing a severe risk to confidentiality and integrity.
Vulnerability Overview
Formbricks uses JSON Web Tokens (JWTs) to validate password reset and email verification requests. However, the token validation routine decodes the JWT payload without verifying its signature, expiration, issuer, or audience.
| CVE ID | Description | Affected Versions | Severity | CVSS v3.1 Base Score |
| CVE-2025-59934 | Missing verification of JWT signature in password reset routine. | < 4.0.1 | Critical | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) |
Specifically, the verifyToken function in apps/web/lib/jwt.ts relies on jwt.decode instead of jwt.verify.
This oversight enables attackers to craft tokens with an alg: “none” header and arbitrary payloads containing any user’s ID.
Proof of Concept
- An attacker obtains a victim’s user ID (for example, cmfuc8pk60000vxfjud7bcl2w).
- They create a token with header {“alg”:”none”,”typ”:”JWT”} and payload {“id”:”cmfuc8pk60000vxfjud7bcl2w”}.
- Without a signature, the token string ends with a trailing dot:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6ImNtZnVjOHBrNjAwMDB2eGZqdWQ3YmNsMncifQ. - Visiting /auth/forgot-password/reset?token=
allows the attacker to set a new password for the victim account.
Because Formbricks does not validate token authenticity, possessing only the user ID suffices to hijack any account.
This flaw impacts password reset and email verification flows, granting attackers network-level access to modify user credentials.
No special privileges or user interaction are required. The vulnerability’s metrics are as follows:
The vulnerability arises because the verifyToken function uses jwt.decode(token) to extract the user ID without checking the token signature or expiry.
Both the email verification and password reset actions share this unsafe validator. This design fails to prove a token’s authenticity, allowing malicious actors to bypass authentication controls entirely.
Formbricks maintainers have released version 4.0.1 to address the issue. The fix replaces jwt.decode with jwt.verify, enforcing signature, expiration, issuer, and audience checks. Users should upgrade immediately:
npm install formbricks@^4.0.1Developers integrating Formbricks into web applications must ensure all JWT-based actions use jwt.verify with appropriate secret keys and validation options.
This critical flaw highlights the importance of comprehensive JWT validation. Until systems enforce full signature and claim checks, attackers can exploit even seemingly minor oversights to breach user accounts.
All Formbricks users should upgrade to 4.0.1 without delay to restore proper authentication safeguards.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
