CVE-2025-45769

Published: Jul 31, 2025Modified: Feb 18, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

php-jwt v6.11.0 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.

Affected (1)

Products: Google: Firebase Php Jwt

1 product

Firebase Php Jwt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Firebase Php Jwt	Up to 6.11.0

Related CWEs

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (8)

https://gist.github.com/ZupeiNie/83756316c4c24fe97a50176a92608db3

Source: cve@mitre.org

Third Party Advisory

https://github.com/advisories/GHSA-2x45-7fc3-mxwq

Source: cve@mitre.org

https://github.com/firebase

Source: cve@mitre.org

Product

https://github.com/firebase/php-jwt

Source: cve@mitre.org

Product

https://github.com/firebase/php-jwt/issues/620

Source: cve@mitre.org

https://github.com/firebase/php-jwt/pull/613

Source: cve@mitre.org

https://github.com/firebase/php-jwt/releases/tag/v7.0.0

Source: cve@mitre.org

https://github.com/github/advisory-database/pull/6954

Source: cve@mitre.org

Timeline

No history available yet.