VYPR

Ruby JWT

by JWT

Source repositories

CVEs (2)

  • CVE-2025-45765CriAug 7, 2025
    risk 0.59cvss 9.1epss 0.00

    ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of…

  • CVE-2026-45363higMay 18, 2026
    risk 0.39cvss epss 0.00

    `JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ```…