VYPR
Get started
← All advisories
Critical severity9.1NVD Advisory· Published Aug 8, 2025· Updated Apr 15, 2026

CVE-2025-54887

CVE-2025-54887

Description

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jweRubyGems
< 1.1.11.1.1

Patches

2
0a210f19a8a7
https://github.com/jwt/ruby-jwevia osv
1e719d79ba3d

Merge commit from fork

https://github.com/jwt/ruby-jweJoakim AntmanAug 7, 2025via ghsa
commit
2 files changed · +13 1
  • lib/jwe/enc/aes_gcm.rb+5 1 modified
    @@ -38,7 +38,11 @@ def setup_cipher(direction, auth_data)
         cipher.send(direction)
         cipher.key = cek
         cipher.iv = iv
-        cipher.auth_tag = tag if direction == :decrypt
+        if direction == :decrypt
+          raise JWE::InvalidData, 'Invalid ciphertext or authentication tag' unless tag.bytesize == 16
+
+          cipher.auth_tag = tag
+        end
         cipher.auth_data = auth_data
       end
  • spec/jwe/enc_spec.rb+8 0 modified
    @@ -130,6 +130,14 @@
           end
         end
 
+        context 'when the tag is not 16 bytes' do
+          it 'raises an error' do
+            enc = klass.new(key, group[:iv])
+            enc.tag = group[:tag][0...-1]
+            expect { enc.decrypt(group[:helloworld], '') }.to raise_error(JWE::InvalidData)
+          end
+        end
+
         context 'when the ciphertext is not valid' do
           it 'raises an error' do
             enc = klass.new(key, group[:iv])

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.