CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.

### Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. ### Impact - JWEs can be modified to decrypt to an arbitrary value - JWEs can be decrypted by observing parsing differences - The GCM internal [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) can be recovered ### Am I Affected? You are affected by this vulnerability even if you do not use an `AES-GCM` encryption algorithm for your JWEs. ### Patches The version 1.1.1 fixes the issue by adding the tag length check for the `AES-GCM` algorithm. **Important:** As the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) could have leaked, you must rotate the encryption keys after upgrading to version 1.1.1. ### References [Félix Charette talk at NorthSec 2025 about the issue](https://www.youtube.com/watch?v=9IT659uUXfs&t=15830s)

### Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. ### Impact - JWEs can be modified to decrypt to an arbitrary value - JWEs can be decrypted by observing parsing differences - The GCM internal [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) can be recovered ### Am I Affected? You are affected by this vulnerability even if you do not use an `AES-GCM` encryption algorithm for your JWEs. ### Patches The version 1.1.1 fixes the issue by adding the tag length check for the `AES-GCM` algorithm. **Important:** As the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=\)%20is%20the-,hash%20key,-%2C%20a%20string%20of) could have leaked, you must rotate the encryption keys after upgrading to version 1.1.1. ### References [Félix Charette talk at NorthSec 2025 about the issue](https://www.youtube.com/watch?v=9IT659uUXfs&t=15830s)

jwe es una implementación en Ruby del estándar RFC 7516 JSON Web Encryption (JWE). En las versiones 1.1.0 y anteriores, las etiquetas de autenticación de los JWE cifrados pueden ser atacadas por fuerza bruta, lo que puede resultar en la pérdida de confidencialidad de dichos JWE y permitir la manipulación de JWE arbitrarios. Esto pone en riesgo a los usuarios, ya que los JWE pueden modificarse para descifrarse a un valor arbitrario, descifrarse observando las diferencias de análisis y recuperar la clave GHASH interna de GCM. Los usuarios se ven afectados por esta vulnerabilidad incluso si no utilizan un algoritmo de cifrado AES-GCM para sus JWE. Dado que la clave GHASH puede haberse filtrado, los usuarios deben rotar las claves de cifrado después de actualizar. Este problema se solucionó en la versión 1.1.1.