Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNTMzLTV2MjItOHZjcM4AA8IT
firebase/php-jwt: "None" Algorithm treated as valid on tokens
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).
Permalink: https://github.com/advisories/GHSA-h533-5v22-8vcpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTMzLTV2MjItOHZjcM4AA8IT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-h533-5v22-8vcp
References:
- https://github.com/firebase/php-jwt/commit/b2c2be6a45fda769c8c2ffe5ec4259a9d1e46e5b
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
- https://github.com/FriendsOfPHP/security-advisories/blob/master/firebase/php-jwt/2015-04-02.yaml
- https://github.com/advisories/GHSA-h533-5v22-8vcp
Blast Radius: 0.0
Affected Packages
packagist:firebase/php-jwt
Dependent packages: 1,772Dependent repositories: 44,890
Downloads: 318,309,953 total
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 1.0.0
All unaffected versions: 2.0.0, 2.1.0, 2.2.0, 3.0.0, 4.0.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.5.0, 5.5.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.8.1, 6.9.0, 6.10.0, 6.10.1, 6.10.2