CVE-2025-45765

Опубликовано: 07 авг. 2025

Источник: redhat

Описание

ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."

A flaw was found in ruby-jwt. The library does not enforce minimum key sizes for encryption, allowing the use of weak keys that may be vulnerable to decryption. A malicious actor can leverage this lack of enforcement to compromise the confidentiality of data protected by the library. This can result in unauthorized access to sensitive information. DISPUTE

Отчет

This CVE is disputed – The reported issue is not a vulnerability in the library itself. The library does not enforce key lengths for HMAC or RSA algorithms except where required by RSA/PS, and key size enforcement is handled by the underlying OpenSSL implementation in recent versions. Security concerns related to insufficient key lengths depend on how the library is used, not on a flaw in the library’s code.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.