BIT-ENVOY-2025-64527 Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch...

CVE-2025-64527

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch...

Cache Poisoning

get-jwks is vulnerable to cache poisoning. The vulnerability is due to a design flaw where the iss issuer claim may be validated only after keys are retrieved from a shared JWKS cache, which allows an attacker to push a chosen public key into the cache with one crafted JWT and then reuse that...

EUVD-2025-31349

Malicious code in bioql PyPI...

Improper Encoding or Escaping of Output

Overview get-jwks is a Fetch utils for JWKS keys Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the JWKS cache process. An attacker can bypass issuer validation by poisoning the cache with keys from an unexpected issuer and subsequently leveraging...

CVE-2025-59936 get-jwks poisoned JWKS cache allows post-fetch issuer validation bypass

get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss issuer claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an...

get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass

Summary A vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. Details When the iss issuer claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer...

PT-2025-39697

Name of the Vulnerable Software and Affected Versions get-jwks versions prior to 11.0.2 Description A flaw exists in the get-jwks library related to its JWKS key-fetching mechanism. When the issuer iss claim is validated after keys are retrieved from the cache, cached keys from an unexpected issu...

JWK Set 安全漏洞

JWK Set is a JWK and JWK-Set implementation by the individual developer Micah Parks. An auto-caching JWK-Set HTTP client is provided. A security vulnerability exists in versions prior to JWK Set 0.6.0, which stems from an HTTP client that incorrectly overwrites or appends the local cache when...

HouseRent 安全漏洞

HouseRent is a house rental management system by Mr.W individual developer. An auto-caching JWK-Set HTTP client is provided. A security vulnerability exists in HouseRent version 1.0, which stems from unknown functionality in the file src/main/java/com/house/wym/controller/AdminController.java tha...

PT-2024-23852 · Oidcc · Oidcc

Name of the Vulnerable Software and Affected Versions: oidcc versions prior to 3.0.2 oidcc versions prior to 3.1.2 oidcc versions prior to 3.2.0-beta.3 Description: A Denial of Service DoS by Atom exhaustion is possible by calling oidcc provider configuration worker:get provider configuration/1 o...

CVE-2021-34588

In Bender/ebee Charge Controllers in multiple versions are prone to unprotected data export. Backup export is protected via a random key. The key is set at user login. It is empty after reboot...

Verify JWT With JSON Web Key Set (JWKS) in API Gateway

JSON Web Tokens JWT use digital signatures to establish the authenticity of the data they contain, as well as authenticating the identity of the signer. A valid signature check ensures that any party can rely on the contents and the signatory of the JWT. This is typically accomplished by using an...