firebase/php-jwt

Packagist2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting firebase/php-jwtpage 1 of 1

CVE-2021-46743CRITICALCVSS 9.1EG 9.1✓ Fixed in 6.0.0
2022-03-29
vulnerable: 1.0.0 ... v5.5.1 (14 versions)
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under …
CVE-2025-45769MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.0.0
2025-07-31
vulnerable: 1.0.0 ... v6.9.0 (34 versions)
php-jwt v6.11.0 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.…

Check whether firebase/php-jwt is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for firebase/php-jwt CVEs against the assets you own.

Start Free Scan →