CVE-2023-51774
Description
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JSON::JWT gem 1.16.3 for Ruby allows identity check bypass via sign/encryption confusion, enabling JWE to bypass decode.
The json-jwt (JSON::JWT) gem version 1.16.3 for Ruby contains a vulnerability that allows bypass of identity checks through a sign/encryption confusion attack [1]. The root cause is that the JSON::JWT.decode function automatically determines whether a token is a JWS (signed) or JWE (encrypted) without proper validation, leading to potential confusion between the two token types [2].
An attacker who has access to the public key used for signing (e.g., in an RS-* algorithm scenario) can craft a JWE token that is incorrectly interpreted as a valid JWS token by the decode method [3]. This attack does not require the attacker to possess the private key; knowledge of the public key is sufficient to exploit the confusion [3]. The exploit is demonstrated in a proof-of-concept that shows how a JWE can be used to bypass JSON::JWT.decode [3].
Successful exploitation allows an attacker to bypass identity checks, potentially leading to authentication bypass or privilege escalation in applications that rely on json-jwt for token validation [1][2]. The impact is significant because the gem is used for JWT handling in Ruby applications, and the confusion attack undermines the integrity of token verification.
The vulnerability is documented in the ruby-advisory-db [4]. As of the initial disclosure, users are advised to monitor the gem repository for a patched version and upgrade accordingly. No workaround is currently available beyond avoiding the use of the affected version or implementing additional token type validation [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-jwtRubyGems | >= 1.16.0, < 1.16.6 | 1.16.6 |
json-jwtRubyGems | < 1.15.3.1 | 1.15.3.1 |
Affected products
16- json-jwt/json-jwtdescription
- osv-coords15 versionspkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-fluentd-operator-compatpkg:apk/chainguard/kube-fluentd-operator-default-configpkg:apk/chainguard/kube-fluentd-operator-oci-entrypointpkg:apk/chainguard/ruby3.2-json-jwtpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-fluentd-operator-compatpkg:apk/wolfi/kube-fluentd-operator-default-configpkg:apk/wolfi/kube-fluentd-operator-oci-entrypointpkg:apk/wolfi/ruby3.2-json-jwtpkg:gem/json-jwtpkg:rpm/opensuse/rubygem-aes_key_wrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-json-jwt&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/rubygem-aes_key_wrap&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/rubygem-json-jwt&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.18.2-r3+ 14 more
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.16.6-r0
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.16.6-r0
- (no CPE)range: >= 1.16.0, < 1.16.6
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
Patches
21 file changed · +5 −1
lib/json/jwt.rb+5 −1 modified@@ -109,7 +109,11 @@ def decode_compact_serialized(jwt_string, key_or_secret, algorithms = nil, encry when JWS::NUM_OF_SEGMENTS JWS.decode_compact_serialized jwt_string, key_or_secret, algorithms, allow_blank_payload when JWE::NUM_OF_SEGMENTS - JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods + if allow_blank_payload + raise InvalidFormat.new("JWE w/ blank payload is not supported.") + else + JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods + end else raise InvalidFormat.new("Invalid JWT Format. JWT should include #{JWS::NUM_OF_SEGMENTS} or #{JWE::NUM_OF_SEGMENTS} segments.") end
1 file changed · +5 −1
lib/json/jwt.rb+5 −1 modified@@ -108,7 +108,11 @@ def decode_compact_serialized(jwt_string, key_or_secret, algorithms = nil, encry when JWS::NUM_OF_SEGMENTS JWS.decode_compact_serialized jwt_string, key_or_secret, algorithms, allow_blank_payload when JWE::NUM_OF_SEGMENTS - JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods + if allow_blank_payload + raise InvalidFormat.new("JWE w/ blank payload is not supported.") + else + JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods + end else raise InvalidFormat.new("Invalid JWT Format. JWT should include #{JWS::NUM_OF_SEGMENTS} or #{JWE::NUM_OF_SEGMENTS} segments.") end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-c8v6-786g-vjx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-51774ghsaADVISORY
- github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.mdghsaWEB
- github.com/nov/json-jwt/commit/593ea8bcaf2629048bad8c036191f2da0a2e713cghsaWEB
- github.com/nov/json-jwt/commit/9c4d842a9465bd7960570ca326c3de79b4abc9d0ghsaWEB
- github.com/nov/json-jwt/issues/120ghsaWEB
- github.com/nov/json-jwt/issues/121ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json-jwt/CVE-2023-51774.ymlghsaWEB
News mentions
0No linked articles in our index yet.