CVE-2025-54887 is a critical vulnerability affecting the ruby-jwe library, a Ruby implementation of the JSON Web Encryption (JWE) standard defined in RFC 7516. The vulnerability exists in versions 1.1.0 and below, where the authentication tags of encrypted JWEs can be brute forced. This weakness allows an attacker to bypass the integrity validation of the encrypted token, enabling them to craft arbitrary JWEs that decrypt to attacker-controlled plaintext values. The root cause is improper validation of the integrity check value (authentication tag), classified under CWE-354. Notably, this flaw is exploitable even if AES-GCM is not the encryption algorithm used, due to the ability to recover the internal GHASH key used in GCM mode by observing parsing differences during decryption attempts. The leakage of the GHASH key is particularly severe as it compromises the cryptographic integrity of the encryption scheme, allowing attackers to forge valid authentication tags. The vulnerability does not require any privileges or user interaction and can be exploited remotely over the network. The vendor has addressed this issue in version 1.1.1 of ruby-jwe. Users are strongly advised to upgrade and rotate encryption keys since the GHASH key may have been compromised prior to patching. Although no known exploits are reported in the wild yet, the high CVSS score of 9.1 reflects the critical impact on confidentiality and integrity, with no impact on availability. This vulnerability poses a significant risk to any system relying on ruby-jwe for secure token encryption, especially in web applications and APIs that use JWE for secure data exchange and authentication.

For European organizations, the impact of CVE-2025-54887 is substantial. Many enterprises and public sector entities in Europe use Ruby-based web applications and services that may incorporate ruby-jwe for secure token encryption. Exploitation could lead to unauthorized disclosure of sensitive information, such as personally identifiable information (PII), financial data, or authentication credentials, violating GDPR and other data protection regulations. The ability to forge arbitrary JWEs also undermines trust in authentication and authorization mechanisms, potentially enabling privilege escalation or impersonation attacks. This could disrupt business operations, damage reputations, and result in regulatory penalties. Critical infrastructure and government services relying on Ruby applications are particularly at risk. The vulnerability’s ease of exploitation without authentication or user interaction increases the likelihood of targeted attacks or automated scanning by threat actors. Even organizations not directly using AES-GCM are affected, broadening the scope of impact. The need to rotate encryption keys post-upgrade adds operational complexity and risk during remediation.

European organizations should immediately upgrade ruby-jwe to version 1.1.1 or later to remediate this vulnerability. Beyond patching, it is crucial to rotate all encryption keys used with ruby-jwe to invalidate any potentially compromised GHASH keys. Organizations should audit their codebases and dependencies to identify all instances of ruby-jwe usage, including transitive dependencies in Ruby gems. Implement strict cryptographic hygiene by enforcing key management best practices, such as using hardware security modules (HSMs) or secure key vaults for key storage and rotation. Conduct thorough testing to ensure that token validation and encryption behave correctly after the upgrade. Monitor application logs and network traffic for anomalous JWE parsing errors or repeated failed authentication tag validations, which may indicate exploitation attempts. Additionally, consider implementing layered security controls such as Web Application Firewalls (WAFs) with rules to detect and block malformed or suspicious JWE tokens. Finally, update incident response plans to include this vulnerability and train security teams on its detection and mitigation.