Hi,

The following vulnerability was published for rust-jsonwebtoken.

CVE-2026-25537[0]:
| jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is
| a Type Confusion vulnerability in jsonwebtoken, specifically, in its
| claim validation logic. When a standard claim (such as nbf or exp)
| is provided with an incorrect JSON type (Like a String instead of a
| Number), the library’s internal parsing mechanism marks the claim as
| “FailedToParse”. Crucially, the validation logic treats this
| “FailedToParse” state identically to “NotPresent”. This means that
| if a check is enabled (like: validate_nbf = true), but the claim is
| not explicitly marked as required in required_spec_claims, the
| library will skip the validation check entirely for the malformed
| claim, treating it as if it were not there. This allows attackers to
| bypass critical time-based security restrictions (like “Not Before”
| checks) and commit potential authentication and authorization
| bypasses. This issue has been patched in version 10.3.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-25537
https://www.cve.org/CVERecord?id=CVE-2026-25537
[1] https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc
[2] https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore