php-jwt v6.11.0 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
https://github.com/github/advisory-database/pull/6954
https://github.com/firebase/php-jwt/releases/tag/v7.0.0
https://github.com/firebase/php-jwt/pull/613
https://github.com/firebase/php-jwt/issues/620
https://github.com/firebase/php-jwt
https://github.com/advisories/GHSA-2x45-7fc3-mxwq
https://gist.github.com/ZupeiNie/83756316c4c24fe97a50176a92608db3
Published: 2025-07-31
Updated: 2026-02-18
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
Severity: Medium
Base Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00014