CVE-2025-54887 is a critical vulnerability affecting the Ruby implementation of JSON Web Encryption (JWE) in the jwt ruby-jwe library, specifically versions prior to 1.1.1. The vulnerability arises from improper validation of the integrity check value (authentication tag) in encrypted JWEs. In affected versions (<=1.1.0), attackers can brute force the authentication tags of encrypted JWEs, which compromises the confidentiality of the encrypted data. This weakness allows attackers to modify JWEs to decrypt to arbitrary values by exploiting parsing differences and recovering the internal GHASH key used in AES-GCM encryption. Notably, the vulnerability impacts users even if they do not use AES-GCM as their encryption algorithm, due to the leakage of the GHASH key. The GHASH key is critical for the integrity and authenticity of the encrypted message, and its compromise enables attackers to craft arbitrary JWEs that can bypass normal decryption checks. This flaw stems from CWE-354, which involves improper validation of integrity check values, leading to potential cryptographic bypasses. The vulnerability has a CVSS v3.1 score of 9.1 (critical), reflecting its high impact on confidentiality and integrity without requiring authentication or user interaction, and with low attack complexity. The issue was fixed in version 1.1.1 of ruby-jwe, and users are strongly advised to upgrade and rotate encryption keys, as the GHASH key may have been leaked prior to patching. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a significant threat to any systems relying on this library for JWE processing.

For European organizations, the impact of this vulnerability is substantial, particularly for those using the ruby-jwe library for secure data transmission, token encryption, or authentication workflows involving JSON Web Encryption. The compromise of confidentiality and integrity can lead to unauthorized data disclosure, token forgery, and potential privilege escalation or impersonation attacks. This could affect sectors handling sensitive personal data under GDPR, such as finance, healthcare, and government services, leading to regulatory penalties and reputational damage. Additionally, the ability to craft arbitrary JWEs could undermine trust in authentication mechanisms and session management, potentially enabling broader network intrusions or data breaches. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by attackers scanning for vulnerable endpoints, increasing the risk of widespread exploitation. The necessity to rotate encryption keys after patching adds operational complexity and risk if not managed properly.

European organizations should immediately upgrade ruby-jwe to version 1.1.1 or later to remediate the vulnerability. Beyond upgrading, organizations must perform a comprehensive key rotation for all encryption keys used with the vulnerable library to mitigate risks from leaked GHASH keys. It is critical to audit all systems and applications that utilize ruby-jwe for JWE processing to identify affected components. Implement additional monitoring for anomalous JWE decryption failures or unexpected token modifications that could indicate exploitation attempts. Where feasible, consider employing defense-in-depth by adding application-layer validation of JWE payloads and integrating anomaly detection for cryptographic operations. Organizations should also review their cryptographic libraries and dependencies regularly to ensure timely patching of similar vulnerabilities. Finally, update incident response plans to include procedures for cryptographic key compromise scenarios and ensure secure key management practices are enforced.