CVE-2025-45770

NameCVE-2025-45770
Descriptionjwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-lcobucci-jwt (PTS)forky, sid, trixie5.5.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-lcobucci-jwtsource(unstable)(unfixed)unimportant

Notes

https://github.com/lcobucci/jwt/security/advisories/GHSA-rp3h-65jh-3c3m
Negligible security impact

Search for package or bug name: Reporting problems