CVE-2025-45765 is a critical vulnerability identified in the ruby-jwt library version 3.0.0.beta1, which is used for JSON Web Token (JWT) encoding and decoding in Ruby applications. The vulnerability stems from the use of weak encryption key sizes within the library. Although the library itself does not enforce key size restrictions, it relies on underlying cryptographic providers such as OpenSSL, which have started enforcing minimum key size requirements. This weak encryption (classified under CWE-326: Inadequate Encryption Strength) can lead to compromised confidentiality and availability of JWT tokens. Since JWTs are widely used for authentication and authorization in web applications, weak encryption can allow attackers to decrypt tokens, leading to unauthorized access or token forgery. The CVSS v3.1 score of 9.1 (critical) reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and high availability impact (A:H). The absence of known exploits in the wild suggests it is a newly disclosed issue, but the potential for exploitation is significant given the ease of attack and critical impact. The vulnerability affects applications using the vulnerable ruby-jwt version, especially those that do not enforce strong cryptographic key sizes themselves or rely solely on the library's defaults. This weakness can lead to token decryption or denial of service by exploiting the weak encryption, undermining application security and availability.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Ruby-based web applications or services that utilize the ruby-jwt library for authentication and session management. Exploitation could lead to unauthorized access to sensitive data, user impersonation, and service disruptions. Given the critical CVSS score and the fact that no privileges or user interaction are required, attackers can remotely exploit this vulnerability over the network. This can result in breaches of personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, availability impacts could disrupt critical business operations, especially in sectors like finance, healthcare, and government services where Ruby applications are prevalent. The weak encryption undermines the trustworthiness of JWT tokens, potentially allowing attackers to bypass authentication controls or cause denial of service by exploiting token validation failures. European organizations with legacy or beta versions of ruby-jwt are particularly vulnerable if they have not applied patches or mitigations.

1. Immediate upgrade: Organizations should upgrade ruby-jwt to a stable, patched version that enforces strong encryption key sizes or addresses this vulnerability once available. 2. Enforce cryptographic policies: Independently enforce minimum key sizes and strong cryptographic algorithms at the application or infrastructure level, not relying solely on the library defaults. 3. Audit JWT usage: Review all applications using ruby-jwt to identify vulnerable versions and assess token encryption configurations. 4. Implement defense-in-depth: Use additional layers of security such as Web Application Firewalls (WAFs) to detect and block suspicious JWT-related traffic. 5. Monitor and log JWT validation failures and anomalies to detect potential exploitation attempts early. 6. Educate developers on secure JWT practices, including key management and token lifecycle. 7. If immediate upgrade is not feasible, consider disabling JWT features or replacing them with alternative secure authentication mechanisms temporarily. 8. Coordinate with cryptographic library providers (e.g., OpenSSL) to ensure their enforcement of key size policies is up to date and compatible with your environment.