web-token/jwt-experimental Security Advisories (2)
-
[HIGH] PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
PKSA-rq51-8s6h-13tp GHSA-jc38-x7x8-2xc8
Affected version: >=4.1.0,<4.1.7|>=4.0.0,<4.0.7|<3.4.10
Reported by:
GitHub -
[MEDIUM] PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
PKSA-z37k-njn7-w125 GHSA-6vvh-pxr4-25r7
Affected version: <=4.1.6
Reported by:
GitHub