CVE-2025-45765

NameCVE-2025-45765
Descriptionruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-jwt (PTS)bullseye2.2.2-1vulnerable
bookworm2.5.0-1vulnerable
forky, sid, trixie2.7.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-jwtsource(unstable)(unfixed)unimportant

Notes

https://github.com/jwt/ruby-jwt/issues/668
https://github.com/jwt/ruby-jwt/issues/668#issuecomment-2817325848

Search for package or bug name: Reporting problems