The vulnerability CVE-2025-45769 affects the php-jwt library version 6.11.0, a widely used PHP library for creating and verifying JSON Web Tokens (JWTs). The core issue is the presence of weak encryption due to insufficient key length enforcement within the library. However, this vulnerability is disputed because the library developers argue that key length settings are the responsibility of the application using the library, not the library itself. This dispute is currently under review according to CNA rules. The vulnerability is classified under CWE-326, which involves the use of weak cryptographic keys or algorithms. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No patches or fixes have been officially released, and no known exploits are reported in the wild. The vulnerability could allow attackers to compromise the confidentiality and integrity of JWTs if weak keys are used, potentially enabling token forgery or unauthorized access. Since JWTs are commonly used for authentication and authorization in web applications, this vulnerability could undermine security controls if not addressed properly.

The potential impact of this vulnerability is the compromise of JWT-based authentication and authorization mechanisms in applications using php-jwt 6.11.0 with weak encryption keys. Attackers could exploit weak key lengths to forge tokens or decrypt sensitive information, leading to unauthorized access to protected resources, data leakage, or privilege escalation. This could affect web applications, APIs, and services relying on JWTs for session management or identity assertions. The impact is primarily on confidentiality and integrity, as attackers may manipulate tokens or intercept sensitive data. Although no availability impact is expected, the breach of authentication integrity can lead to significant security incidents, including data breaches and unauthorized transactions. Organizations worldwide using php-jwt in their technology stacks are at risk, especially if they do not enforce strong cryptographic key policies. The absence of known exploits suggests limited immediate threat, but the medium severity rating indicates a meaningful risk if exploited.

Organizations should immediately review their use of php-jwt version 6.11.0 and assess their cryptographic key management practices. Specifically, ensure that encryption keys used for JWT signing and verification meet strong length and complexity requirements consistent with current cryptographic standards (e.g., minimum 256-bit keys for HMAC or appropriate key sizes for asymmetric algorithms). Developers should implement application-level controls to enforce key strength, as the library does not enforce this. Additionally, consider upgrading to a newer version of php-jwt if and when a patched release addressing this issue becomes available. In the interim, perform security audits and penetration testing focused on JWT handling to detect weak keys or token forgery vulnerabilities. Employ defense-in-depth strategies such as token expiration, audience validation, and issuer verification to limit the impact of compromised tokens. Monitoring and logging JWT validation failures can help detect exploitation attempts. Finally, educate development teams about secure cryptographic practices and the importance of key management in JWT security.