Vulnerabilites related to jwt_project - jwt
Vulnerability from fkie_nvd
Published
2021-09-28 21:15
Modified
2024-11-21 06:25
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jwt_project | jwt | * | |
| jwt_project | jwt | * | |
| jwt_project | jwt | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jwt_project:jwt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6756DFB7-6FCD-4D08-87A5-56D4A9DE2430",
"versionEndExcluding": "3.4.6",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jwt_project:jwt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18C105D0-94D0-4E6A-AE8A-F02E5963A50E",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jwt_project:jwt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2EFDA9F5-63DB-416C-BBAD-9012B2486CAE",
"versionEndExcluding": "4.1.5",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference`, and suggest `Lcobucci\\JWT\\Signer\\Key\\InMemory` as the alternative. As a workaround, use `Lcobucci\\JWT\\Signer\\Key\\InMemory` instead of `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` to create the instances of one\u0027s keys."
},
{
"lang": "es",
"value": "JWT es una biblioteca para trabajar con JSON Web Token y JSON Web Signature. Antes de las versiones 3.4.6, 4.0.4 y 4.1.5, los usuarios de los algoritmos basados en HMAC (HS256, HS384 y HS512) combinados con \"Lcobucci\\JWT\\Signer\\Key\\LocalFileReference\" como clave est\u00e1n emitiendo/validando sus tokens usando la ruta del archivo como clave de hashing - en lugar del contenido. Las funciones de hashing HMAC aceptan cualquier cadena como entrada y, dado que los usuarios pueden emitir y comprobar tokens, los usuarios son llevados a creer que todo funciona correctamente. Las versiones 3.4.6, 4.0.4 y 4.1.5 han sido parcheadas para cargar siempre el contenido del archivo, desaprobando la funci\u00f3n \"Lcobucci\\JWT\\Signer\\Key\\LocalFileReference\", y sugiriendo \"Lcobucci\\JWT\\Signer\\Key\\InMemory\" como alternativa. Como soluci\u00f3n, use \"Lcobucci\\JWT\\SignerKey\\InMemory\" en lugar de \"Lcobucci\\JWT\\SignerKey\\LocalFileReference\" para crear las instancias de las claves propias"
}
],
"id": "CVE-2021-41106",
"lastModified": "2024-11-21T06:25:28.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-28T21:15:07.370",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-31 20:15
Modified
2025-08-17 04:15
Severity ?
Summary
jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/ZupeiNie/cd88c827eef11a1618f8baacccd240fb | Third Party Advisory | |
| cve@mitre.org | https://github.com/lcobucci | Product | |
| cve@mitre.org | https://github.com/lcobucci/jwt | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jwt_project | jwt | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jwt_project:jwt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C0A7774-91F3-4DE4-BDBA-39067042BFEA",
"versionEndIncluding": "5.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que jwt v5.4.3 conten\u00eda un cifrado d\u00e9bil."
}
],
"id": "CVE-2025-45770",
"lastModified": "2025-08-17T04:15:40.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T20:15:33.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/ZupeiNie/cd88c827eef11a1618f8baacccd240fb"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/lcobucci"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/lcobucci/jwt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-23 21:59
Modified
2025-04-20 01:37
Severity ?
Summary
The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/95847 | ||
| secalert@redhat.com | https://github.com/emarref/jwt/pull/20 | Issue Tracking, Patch, Third Party Advisory | |
| secalert@redhat.com | https://github.com/emarref/jwt/releases/tag/1.0.3 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95847 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/emarref/jwt/pull/20 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/emarref/jwt/releases/tag/1.0.3 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jwt_project | jwt | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jwt_project:jwt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DCFCE3A-41C0-4EAD-B6E1-A708055A3A72",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack."
},
{
"lang": "es",
"value": "La funci\u00f3n de verificaci\u00f3n en Encryption/Symmetric.php en Malcolm Fell jwt en versiones anteriores a 1.0.3 no utiliza una funci\u00f3n segura de temporizaci\u00f3n para la comparaci\u00f3n de hash, lo que permite a los atacantes suplantar firmas a trav\u00e9s de un ataque de temporizaci\u00f3n."
}
],
"id": "CVE-2016-7037",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-23T21:59:02.487",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/95847"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/emarref/jwt/pull/20"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/emarref/jwt/releases/tag/1.0.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95847"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/emarref/jwt/pull/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/emarref/jwt/releases/tag/1.0.3"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-361"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2016-7037 (GCVE-0-2016-7037)
Vulnerability from cvelistv5
Published
2017-01-23 21:00
Modified
2024-08-06 01:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:50:46.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/emarref/jwt/pull/20"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/emarref/jwt/releases/tag/1.0.3"
},
{
"name": "95847",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95847"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-31T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/emarref/jwt/pull/20"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/emarref/jwt/releases/tag/1.0.3"
},
{
"name": "95847",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95847"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-7037",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/emarref/jwt/pull/20",
"refsource": "CONFIRM",
"url": "https://github.com/emarref/jwt/pull/20"
},
{
"name": "https://github.com/emarref/jwt/releases/tag/1.0.3",
"refsource": "CONFIRM",
"url": "https://github.com/emarref/jwt/releases/tag/1.0.3"
},
{
"name": "95847",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95847"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-7037",
"datePublished": "2017-01-23T21:00:00",
"dateReserved": "2016-08-23T00:00:00",
"dateUpdated": "2024-08-06T01:50:46.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41106 (GCVE-0-2021-41106)
Vulnerability from cvelistv5
Published
2021-09-28 20:50
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jwt",
"vendor": "lcobucci",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.4"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference`, and suggest `Lcobucci\\JWT\\Signer\\Key\\InMemory` as the alternative. As a workaround, use `Lcobucci\\JWT\\Signer\\Key\\InMemory` instead of `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` to create the instances of one\u0027s keys."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-28T20:50:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
}
],
"source": {
"advisory": "GHSA-7322-jrq4-x5hf",
"discovery": "UNKNOWN"
},
"title": "File reference keys leads to incorrect hashes on HMAC algorithms",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41106",
"STATE": "PUBLIC",
"TITLE": "File reference keys leads to incorrect hashes on HMAC algorithms"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jwt",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.4.0, \u003c 3.4.6"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.4"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.5"
}
]
}
}
]
},
"vendor_name": "lcobucci"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference`, and suggest `Lcobucci\\JWT\\Signer\\Key\\InMemory` as the alternative. As a workaround, use `Lcobucci\\JWT\\Signer\\Key\\InMemory` instead of `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` to create the instances of one\u0027s keys."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf",
"refsource": "CONFIRM",
"url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
},
{
"name": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73",
"refsource": "MISC",
"url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
},
{
"name": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c",
"refsource": "MISC",
"url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
}
]
},
"source": {
"advisory": "GHSA-7322-jrq4-x5hf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41106",
"datePublished": "2021-09-28T20:50:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45770 (GCVE-0-2025-45770)
Vulnerability from cvelistv5
Published
2025-07-31 00:00
Modified
2025-08-17 04:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:05:31.939424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:06:43.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-17T04:00:19.045Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/lcobucci"
},
{
"url": "https://github.com/lcobucci/jwt"
},
{
"url": "https://gist.github.com/ZupeiNie/cd88c827eef11a1618f8baacccd240fb"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45770",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-08-17T04:00:19.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}