CVE-2019-18848
Description
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The json-jwt gem before 1.11.0 for Ruby lacks an element count check when splitting a JWE string, potentially leading to denial of service or other attacks.
The json-jwt gem for Ruby implements JSON Web Token (JWT) and related standards. In versions prior to 1.11.0, the gem fails to verify the number of elements when splitting a JWE (JSON Web Encryption) string. This missing element count check can cause unexpected behavior when processing malformed JWE tokens [1][2].
An attacker can craft a specially malformed JWE string that, when parsed by an application using the vulnerable gem, triggers an error or unexpected state. The attack does not require authentication if the application accepts JWE tokens from untrusted sources. The vulnerability is in the splitting logic, which assumes a fixed number of components without validation [3].
Exploitation could lead to denial of service (DoS) by causing the application to crash or enter an infinite loop. In some scenarios, it might also enable other attacks such as information disclosure or bypass of security checks, depending on how the application handles the error [2][3].
The issue is fixed in json-jwt version 1.11.0. Users should upgrade to the latest version. No workarounds are documented. The vulnerability is listed in the Ruby Advisory Database [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-jwtRubyGems | < 1.11.0 | 1.11.0 |
Affected products
6- Ruby/json-jwt gemdescription
- ghsa-coords5 versionspkg:gem/json-jwtpkg:rpm/opensuse/rubygem-aes_key_wrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-json-jwt&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/rubygem-aes_key_wrap&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/rubygem-json-jwt&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.11.0+ 4 more
- (no CPE)range: < 1.11.0
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
Patches
21 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -1.10.2 \ No newline at end of file +1.11.0 \ No newline at end of file
ada16e772906explicitly specifying number of elements when splitting JWE string
2 files changed · +3 −3
lib/json/jwe.rb+1 −1 modified@@ -254,7 +254,7 @@ def decode_compact_serialized(input, private_key_or_secret, algorithms = nil, en raise InvalidFormat.new("Invalid JWE Format. JWE should include #{NUM_OF_SEGMENTS} segments.") end jwe = new - _header_json_, jwe.jwe_encrypted_key, jwe.iv, jwe.cipher_text, jwe.authentication_tag = input.split('.').collect do |segment| + _header_json_, jwe.jwe_encrypted_key, jwe.iv, jwe.cipher_text, jwe.authentication_tag = input.split('.', NUM_OF_SEGMENTS).collect do |segment| begin Base64.urlsafe_decode64 segment rescue ArgumentError
lib/json/jws.rb+2 −2 modified@@ -179,7 +179,7 @@ def decode_compact_serialized(input, public_key_or_secret, algorithms = nil, all unless input.count('.') + 1 == NUM_OF_SEGMENTS raise InvalidFormat.new("Invalid JWS Format. JWS should include #{NUM_OF_SEGMENTS} segments.") end - header, claims, signature = input.split('.', JWS::NUM_OF_SEGMENTS).collect do |segment| + header, claims, signature = input.split('.', NUM_OF_SEGMENTS).collect do |segment| Base64.urlsafe_decode64 segment.to_s end header = JSON.parse(header).with_indifferent_access @@ -191,7 +191,7 @@ def decode_compact_serialized(input, public_key_or_secret, algorithms = nil, all jws = new claims jws.header = header jws.signature = signature - jws.signature_base_string = input.split('.')[0, JWS::NUM_OF_SEGMENTS - 1].join('.') + jws.signature_base_string = input.split('.')[0, NUM_OF_SEGMENTS - 1].join('.') jws.verify! public_key_or_secret, algorithms unless public_key_or_secret == :skip_verification jws end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cff7-6h4q-q5pjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-18848ghsaADVISORY
- github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948aghsax_refsource_MISCWEB
- github.com/nov/json-jwt/compare/v1.10.2...v1.11.0ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json-jwt/CVE-2019-18848.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2020/10/msg00001.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.