Description

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key. Applications using affected versions for token verification are impacted. This issue has been patched in version 0.3.5+1. A workaround for this issue involves rejecting tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

INFO

Published Date :

2026-03-31T15:44:23.578Z

Last Modified :

2026-04-01T14:03:14.969Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34240 vulnerability.

Vendors Products
Appsup-dart
  • Jose
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34240.

URL Resource
https://github.com/appsup-dart/jose/commit/b07799aac1f56a9a21483feac026272aab30cc5d cve-icon cve-icon
https://github.com/appsup-dart/jose/security/advisories/GHSA-vm9r-h74p-hg97 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact