High severity8.1NVD Advisory· Published Feb 9, 2018· Updated Jun 17, 2026
CVE-2018-1000025
CVE-2018-1000025
Description
Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kreait/firebase-phpPackagist | >= 3.2.0, < 3.8.1 | 3.8.1 |
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4gjj-r7w8-42cqghsaADVISORY
- github.com/kreait/firebase-php/pull/151nvdThird Party AdvisoryWEB
- github.com/kreait/firebase-php/releases/tag/3.8.1nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-1000025ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/kreait/firebase-php/CVE-2018-1000025.yamlghsaWEB
News mentions
0No linked articles in our index yet.