Skip to content

Update dependency jwt to v3 [SECURITY]#1583

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/rubygems-jwt-vulnerability
Open

Update dependency jwt to v3 [SECURITY]#1583
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/rubygems-jwt-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 22, 2026

This PR contains the following updates:

Package Change Age Confidence
jwt (changelog) 2.10.23.2.0 age confidence

ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351

CVE-2026-45363 / GHSA-c32j-vqhx-rx3x

More information

Details

JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token.
OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key, and no raise InvalidKeyError if key.empty? precondition exists in the HMAC algorithm.

JWT.decode(token, "", true, algorithm: 'HS256')
  -> JWA::Hmac.verify(verification_key: "", ...)
  -> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature

The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an
array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty
arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing.

JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" }
  -> find_key returns ""               # "" && !Array("").empty? == true
  -> JWA::Hmac.verify(verification_key: "", ...)
  -> verifies

Common application patterns that produce the unsafe value: redis.get("kid:#{kid}").to_s, ORM string columns with default: '', ENV['SECRET'] || '', Hash.new('') lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.

The existing enforce_hmac_key_length option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.

Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and
JWT::EncodedToken#verify_signature!(key_finder:)

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

jwt/ruby-jwt (jwt)

v3.2.0

Compare Source

Full Changelog

Features:

  • Add enforce_hmac_key_length configuration option #​716 - (@​304)

Fixes and enhancements:

v3.1.2

Compare Source

Full Changelog

Fixes and enhancements:

  • Avoid using the same digest across calls in JWT::JWA::Ecdsa and JWT::JWA::Rsa #​697
  • Fix signing with a EC JWK #​699 (@​anakinj)

v3.1.1

Compare Source

Full Changelog

Fixes and enhancements:

  • Avoid using the same digest across calls in JWT::JWA::Ecdsa and JWT::JWA::Rsa #​697
  • Fix signing with a EC JWK #​699 (@​anakinj)

v3.1.0

Compare Source

Full Changelog

Fixes and enhancements:

  • Require the algorithm to be provided when signing and verifying tokens using JWKs #​695 (@​anakinj)

v3.0.0

Compare Source

Full Changelog

Features:

  • Add support for x5t header parameter for X.509 certificate thumbprint verification #​669 (@​hieuk09)
  • Raise an error if the ECDSA signing or verification key is not an instance of OpenSSL::PKey::EC #​688 (@​anakinj)
  • Allow OpenSSL::PKey::EC::Point to be used as the verification key in ECDSA #​689 (@​anakinj)
  • Require claims to have been verified before accessing the JWT::EncodedToken#payload #​690 (@​anakinj)
  • Support signing and verifying tokens using a JWK #​692 (@​anakinj)

v2.10.3: jwt-2.10.3

Compare Source

v2.10.3 (2026-05-22)

Full Changelog

Fixes and enhancements:

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file major labels May 22, 2026
@mmeest
Copy link
Copy Markdown
Contributor

mmeest commented May 26, 2026
edited
Loading

Reason for tests to fail is not a JWT issue itself — the problem is that billing_secret defaults to ''. JWT 3.x now correctly rejects empty HMAC keys. We should either return nil and fail fast or provide a proper test config secret.

@renovate renovate Bot force-pushed the renovate/rubygems-jwt-vulnerability branch from 758e12c to bd4c7d8 Compare May 27, 2026 14:23
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mmeest