How is this an RCE? The only way I can think of exploiting this is having access to the code. You can "exploit" JSON.parse with the same methodology. Perhaps if someone was using a serializer that uses eval but that shouldn't be a vuln in jsonwebtoken but in the library that passes user input into eval.