JWT signature verification bypass enables account takeover in Formbricks
Take action: If you're using Formbricks, immediately upgrade to version 4.0.1 or later. Your Formbricks can be hacked with a very simple forged request, all the attackers need to guess is your internal user ID (which they will eventually find). Isolating the endpoints may help, but only very short term. Consider this an urgent patch.
Learn More
Formbricks, an open-source experience management platform and Qualtrics alternative, has patched a critical security vulnerability that could allow attackers to hijack user accounts through forged authentication tokens.
The flaw is tracked as CVE-2025-59934 (CVSS score 9.4) is caused by a failure in the platform's JSON Web Token validation mechanism.
The token validation routine is implemented in the file /formbricks/apps/web/lib/jwt.ts, in the verifyToken function. The implementation uses the jwt.decode() method instead of the cryptographically secure jwt.verify() method. The problematic code simply decodes the JWT structure to extract the payload without performing any of the essential security validations that are fundamental to JWT-based authentication systems.
An attacker needs only two pieces of information: knowledge that the target uses Formbricks, and the victim's internal user identifier. User identifiers in Formbricks follow a predictable format consisting of alphanumeric strings, such as cmfuc8pk60000vxfjud7bcl2w. These identifiers might be exposed through various channels, including application logs, error messages, API responses, or through social engineering techniques.
Once an attacker obtains a victim's user identifier, they can craft a malicious token that specifies the "alg": "none" algorithm in its header. The "none" algorithm is a specification within the JWT standard that indicates no signature verification should be performed on the token. While legitimate JWT implementations should reject tokens using this algorithm, Formbricks' flawed validation accepts them because it never performs signature verification in the first place.
This forged token is then embedded into a password reset URL following the pattern /auth/forgot-password/reset?token=<forged_JWT>.
When the victim or attacker visits this URL and submits a new password through the reset form, the Formbricks server processes the request by calling the vulnerable verifyToken function. This function decodes the JWT payload using jwt.decode(), extracts the user identifier from the token, and uses it to query the database for the corresponding user account. The system then proceeds to update the password for the identified user account to whatever value was submitted in the form, effectively granting the attacker complete control over the victim's account.
Affected versions of Formbricks are Formbricks versions prior to 4.0.1
Formbricks has patched this critical vulnerability in version 4.0.1.
Organizations and individuals using Formbricks should immediately upgrade to version 4.0.1 or later to protect against this vulnerability. Users can verify their current Formbricks version by checking the application's about page or version information endpoint.
