VYPR

Libjwt

by Libjwt

Source repositories

CVEs (3)

  • CVE-2026-44699CriMay 15, 2026
    risk 0.52cvss epss 0.00

    LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker…

  • CVE-2026-33996MedMar 27, 2026
    risk 0.29cvss 5.5epss 0.00

    LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in…

  • CVE-2024-25189Feb 8, 2024
    risk 0.00cvss epss 0.01

    libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.