GHSA-C7P4-HX26-PR73

Vulnerability from github – Published: 2025-08-07 20:55 – Updated: 2025-08-08 19:30
VLAI?
Summary
JWE is missing AES-GCM authentication tag validation in encrypted JWE
Details

Overview

The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs.

Impact

  • JWEs can be modified to decrypt to an arbitrary value
  • JWEs can be decrypted by observing parsing differences
  • The GCM internal GHASH key can be recovered

Am I Affected?

You are affected by this vulnerability even if you do not use an AES-GCM encryption algorithm for your JWEs.

Patches

The version 1.1.1 fixes the issue by adding the tag length check for the AES-GCM algorithm.

Important: As the GHASH key could have leaked, you must rotate the encryption keys after upgrading to version 1.1.1.

References

Félix Charette talk at NorthSec 2025 about the issue

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "jwe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-07T20:55:35Z",
    "nvd_published_at": "2025-08-08T01:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "### Overview\nThe authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs.\n\n### Impact\n- JWEs can be modified to decrypt to an arbitrary value\n- JWEs can be decrypted by observing parsing differences\n- The GCM internal [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) can be recovered\n\n\n### Am I Affected?\nYou are affected by this vulnerability even if you do not use an `AES-GCM` encryption algorithm for your JWEs.\n\n### Patches\nThe version 1.1.1 fixes the issue by adding the tag length check for the `AES-GCM` algorithm.\n\n**Important:** As the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) could have leaked, you must rotate the encryption keys after upgrading to version 1.1.1.\n\n### References\n[F\u00e9lix Charette talk at NorthSec 2025 about the issue](https://www.youtube.com/watch?v=9IT659uUXfs\u0026t=15830s)",
  "id": "GHSA-c7p4-hx26-pr73",
  "modified": "2025-08-08T19:30:00Z",
  "published": "2025-08-07T20:55:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jwt/ruby-jwe/security/advisories/GHSA-c7p4-hx26-pr73"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jwt/ruby-jwe/commit/1e719d79ba3d7aadaa39a2f08c25df077a0f9ff1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jwt/ruby-jwe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jwe/CVE-2025-54887.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JWE is missing AES-GCM authentication tag validation in encrypted JWE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.