In a critical security lapse, the popular open-source analytics platform Formbricks has been found vulnerable to unauthorized password resets.
The flaw lies in its JSON Web Token (JWT) handling, where tokens are decoded without any signature or expiration checks, allowing attackers to craft arbitrary tokens and hijack user accounts.
Vulnerability Overview
Formbricks relies on JWTs for several authentication flows, including email verification and password resets.
The root cause of this weakness is the use of a simple decode operation (jwt.decode) instead of a full verification (jwt.verify).
As a result, the platform does not validate the token’s signature, expiration time, issuer, or intended audience.
This oversight permits an attacker, once in possession of a valid user identifier, to generate a token with a alg: "none" header, bypass all cryptographic checks, and hijack the account.
The core of the issue resides in a shared token validation routine used by both the email confirmation endpoint and the password-reset handler.
Upon receiving a token, the server decodes it to extract the payload, then directly uses the contained user ID to perform database operations.
No subsequent checks ensure that the token was legitimately issued or is still valid.
Consequently, an attacker can:
- Discover or guess a user’s internal ID.
- Construct a JWT header
alg: "none"and embed the victim’s ID in the payload. - Submit the forged token to the password reset endpoint, which accepts the payload and updates the victim’s password.
Proof of Concept Workflow
A simple proof-of-concept demonstrates the attack in three steps.
First, the attacker needs the victim’s user ID, which may be exposed through other application endpoints or predictable patterns.
Next, the attacker constructs a JWT with no signature requirement and sets the payload ID to the victim’s identifier.
Lastly, the attacker accesses the password reset link, including the crafted token, and submits a new password.
The server, trusting the decoded payload, locates the user and replaces the existing password with the attacker’s choice—all without any authorization checks.
This flaw poses a severe risk to all Formbricks deployments that have not patched the vulnerability.
An attacker can not only reset passwords but potentially intercept or control other account-based features, leading to data theft, manipulation of analytics records, or further lateral movement within the application environment.
Since both email confirmation and password resets share the same validation logic, the attack surface is wide and easily exploitable.
To remediate this issue, developers must replace all jwt.decode calls with proper jwt.verify that checks signature integrity, token expiration, issuer, and audience fields.
Additionally, rotating the signing key and invalidating existing tokens will limit the window for exploitation.
Implementing rate limiting and monitoring unusual password reset requests can further detect and mitigate abusive activity.
The Formbricks signature verification vulnerability underscores the importance of rigorous token validation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw lies in its JSON Web Token (JWT) handling, where tokens are decoded without any signature or expiration checks, allowing attackers to craft arbitrary tokens and hijack user accounts.){kind=link}