VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 26, 2018· Updated Aug 5, 2024

CVE-2018-1000539

CVE-2018-1000539

Description

Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nov json-jwt gem versions 0.5.0 to 1.9.3 improperly verify AES-GCM authentication tags, allowing attackers to forge tags and decrypt tokens.

Vulnerability

The json-jwt Ruby gem, versions >= 0.5.0 and < 1.9.4, contains an improper verification of cryptographic signature (CWE-347) in the decryption of AES-GCM encrypted JSON Web Tokens (JWTs) [1][2]. The implementation fails to properly validate the authentication tag length during AES-GCM decryption, allowing an attacker to present a truncated or forged tag that would be accepted as valid. The issue was fixed in version 1.9.4 by adding explicit validation of the GCM authentication tag length in the decryption routine [3].

Exploitation

An attacker with network access to an application using the vulnerable json-jwt library can send a crafted JWE (JSON Web Encryption) token with a modified or truncated authentication tag [1]. The attacker does not need authentication or write access; they only need to submit a malicious token to a decryption endpoint. The vulnerable code path is triggered when JSON::JWE#decrypt! is called on a token encrypted with AES-GCM algorithm (e.g., A128GCM or A256GCM). By truncating the authentication tag (e.g., by one byte), the attacker can cause the decryption to succeed without correct tag verification [3].

Impact

Successful exploitation allows an attacker to forge authentication tags, effectively bypassing integrity checks on encrypted JWTs [1]. This leads to unauthorized decryption of tokens and potential compromise of the confidentiality and integrity of the token content. Depending on how the application uses decrypted claims, an attacker could impersonate a user, access protected resources, or escalate privileges. The attack does not require elevated privileges initially.

Mitigation

The vulnerability is fixed in version 1.9.4 of the json-jwt gem, released on January 31, 2018 [1][2][3]. Users should upgrade to 1.9.4 or later immediately. The fix was merged via commit a3b2147f which adds shared examples to verify GCM authentication tag length during decryption [3]. No workaround is available for earlier versions. The gem repository provides documentation on usage and installation [4].

References
  1. NVD - CVE-2018-1000539
  2. ruby-advisory-db/gems/json-jwt/CVE-2018-1000539.yml at master · rubysec/ruby-advisory-db
  3. Merge pull request #62 from bdewater/verify-gcm-auth-tag-length · nov/json-jwt@a3b2147
  4. GitHub - nov/json-jwt: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
json-jwtRubyGems
>= 0.5.1, < 1.9.41.9.4

Affected products

1

Patches

1
a3b2147f0f6d

Merge pull request #62 from bdewater/verify-gcm-auth-tag-length

https://github.com/nov/json-jwtNov MatakeApr 30, 2018via ghsa
commit
2 files changed · +26 0
  • lib/json/jwe.rb+2 0 modified
    @@ -48,6 +48,8 @@ def decrypt!(private_key_or_secret, algorithms = nil, encryption_methods = nil)
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
+        # https://github.com/ruby/openssl/issues/63
+        raise DecryptionFailed.new('Invalid authentication tag') if authentication_tag.length < 16
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end
  • spec/json/jwe_spec.rb+24 0 modified
    @@ -169,6 +169,24 @@
       end
     end
 
+    shared_examples_for :verify_gcm_authentication_tag do
+      let(:jwe_string) do
+        _jwe_ = JSON::JWE.new plain_text
+        _jwe_.alg, _jwe_.enc = alg, enc
+        _jwe_.encrypt! key
+        header, key, iv, cipher_text, auth_tag = _jwe_.to_s.split('.')
+        truncated_auth_tag = Base64.urlsafe_decode64(auth_tag).slice(0..-2)
+        truncated_auth_tag = Base64.urlsafe_encode64(truncated_auth_tag, padding: false)
+        [header, key, iv, cipher_text, truncated_auth_tag].join('.')
+      end
+
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::DecryptionFailed
+      end
+    end
+
     shared_examples_for :unexpected_algorithm_for_decryption do
       it do
         expect do
@@ -193,6 +211,7 @@
         let(:enc) { :A128GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -202,6 +221,7 @@
         let(:enc) { :A256GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -226,6 +246,7 @@
         let(:enc) { :A128GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -235,6 +256,7 @@
         let(:enc) { :A256GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -262,6 +284,7 @@
         let(:key_size) { 16 }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -272,6 +295,7 @@
         let(:key_size) { 32 }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.