{"uuid": "ed64b76c-6be5-4a3d-b91b-e1de97596c26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-jc38-x7x8-2xc8", "type": "seen", "source": "https://gist.github.com/alon710/c26988bce97f88a79fd114238aa121f6", "content": "# GHSA-JC38-X7X8-2XC8: GHSA-jc38-x7x8-2xc8: Algorithm Confusion and Header Override Vulnerability in PHP JWT Framework\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-JC38-X7X8-2XC8\n\n## Summary\nAn algorithm confusion vulnerability exists in the PHP JWT Framework (web-token/jwt-library) where the JWSVerifier and JWEDecrypter components merge integrity-protected and unprotected headers using insecure methods. Under specific conditions, duplicate parameters defined in unprotected headers override those in integrity-protected headers, allowing an attacker to bypass cryptographic signature verification.\n\n## TL;DR\nA flaw in the way PHP JWT Framework merges headers allows parameters in unprotected headers to overwrite those in protected headers, leading to cryptographic signature bypass via algorithm confusion.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-345 (Active Verification of Cryptographic Signature)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0 Score**: 8.1\n- **Exploit Status**: Proof of Concept\n- **Vulnerability Type**: Cryptographic Bypass / Algorithm Confusion\n- **Affected Component**: JWSVerifier and JWEDecrypter\n\n## Affected Systems\n\n- PHP JWT Framework (web-token/jwt-framework) under web-token/jwt-library component\n- **web-token/jwt-library**: < 3.4.10 (Fixed in: `3.4.10`)\n- **web-token/jwt-library**: >= 4.0.0, < 4.0.7 (Fixed in: `4.0.7`)\n- **web-token/jwt-library**: >= 4.1.0, < 4.1.7 (Fixed in: `4.1.7`)\n\n## Mitigation\n\n- Upgrade the web-token/jwt-library dependency to version 3.4.10, 4.0.7, or 4.1.7 depending on the base release in use.\n- Separate asymmetric (RSA/ECDSA) keys and symmetric (HMAC) keys into distinct JWKS key sets to prevent cross-protocol key reuse.\n- Configure HeaderCheckerManager to strictly validate that critical algorithm headers exist only within integrity-protected containers.\n\n**Remediation Steps:**\n1. Locate the composer.json file in the application root directory.\n2. Update the web-token/jwt-framework or web-token/jwt-library version constraints to point to the patched releases.\n3. Execute the dependency manager command 'composer update web-token/jwt-library' to pull the secure version.\n4. Search the codebase for manual configurations of JWKSet to confirm that public verification keys are segregated from secret symmetric keys.\n\n## References\n\n- [GitHub Security Advisory GHSA-jc38-x7x8-2xc8](https://github.com/advisories/GHSA-JC38-X7X8-2XC8)\n- [OSV Vulnerability Record for GHSA-jc38-x7x8-2xc8](https://osv.dev/vulnerability/GHSA-jc38-x7x8-2xc8)\n- [PHP JWT Framework Security Advisory on GitHub](https://github.com/web-token/jwt-framework/security/advisories/GHSA-jc38-x7x8-2xc8)\n- [FriendsOfPHP Security Advisory Metadata](https://github.com/FriendsOfPHP/security-advisories/blob/master/web-token/jwt-library/GHSA-jc38-x7x8-2xc8.yaml)\n- [PHP JWT Framework Repository](https://github.com/web-token/jwt-framework)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-JC38-X7X8-2XC8) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T23:11:33.000000Z"}