CVE-2026-40942

The DSF vulnerability CVE-2026-40942 affects the OIDC JWKS and Metadata Document caches (and the OIDC token cache for FHIR client connections) prior to version 2.1.0, where an inverted time comparison (isBefore vs isAfter) caused the cache to never return cached values and never invalidate, resul...

Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache

Affected Components - DSF FHIR Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication. Summa...

CVE-2025-59936 get-jwks poisoned JWKS cache allows post-fetch issuer validation bypass

get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss issuer claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an...

CVE-2025-59936

The CVE-2025-59936 issue affects get-jwks prior to 11.0.2, where a design flaw allows cache poisoning of the JWKS cache to bypass issuer validation. If iss is validated after keys are retrieved from the cache, an attacker can craft JWTs to place a chosen public key in the shared cache and then re...

Improper Encoding or Escaping of Output

Overview get-jwks is a Fetch utils for JWKS keys Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the getPublicKey process. An attacker can bypass issuer validation and gain unauthorized access by poisoning the JWKS cache with a crafted public key an...