GHSA-5739-39V2-5754: GHSA-5739-39V2-5754: Bleichenbacher / Marvin Padding Oracle in PHP JWE Decryption (RSAES-PKCS1-v1_5)

GHSA-5739-39V2-5754: Bleichenbacher / Marvin Padding Oracle in PHP JWE Decryption (RSAES-PKCS1-v1_5)

Vulnerability ID: GHSA-5739-39V2-5754
CVSS Score: 6.3
Published: 2026-06-18

An observable timing discrepancy vulnerability in the web-token/jwt-framework library allows unauthenticated remote attackers to perform a Bleichenbacher / Marvin padding oracle attack against JWE tokens using the RSAES-PKCS1-v1_5 algorithm. By failing to perform constant-time implicit rejection on PKCS#1 v1.5 padding failures, the decryption process leaks structural validation errors via exceptions and early returns, exposing the wrapped Content Encryption Key (CEK) to cryptographic recovery.

TL;DR

A timing side-channel in PHP's jwt-framework RSA1_5 key decryption utility leaks validation success and failure. Remote, unauthenticated attackers can exploit this timing discrepancy to recover the JWE Content Encryption Key (CEK) via a Bleichenbacher / Marvin padding oracle attack.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability ID: GHSA-5739-39V2-5754
• CWE ID: CWE-208
• Attack Vector: Network (AV:N)
• CVSS Score: 6.3 (Medium)
• Exploit Status: Proof-of-Concept
• CISA KEV Status: Not Listed

Affected Systems

• web-token/jwt-library
• web-token/jwt-framework
• web-token/jwt-library: < 3.4.10 (Fixed in: 3.4.10)
• web-token/jwt-library: >= 4.0.0, < 4.0.7 (Fixed in: 4.0.7)
• web-token/jwt-library: >= 4.1.0, < 4.1.7 (Fixed in: 4.1.7)
• web-token/jwt-framework: <= 4.1.6 (Fixed in: 4.1.7)

Mitigation Strategies

• Upgrade web-token/jwt-framework and web-token/jwt-library to patched versions (3.4.10+, 4.0.7+, 4.1.7+).
• Disable the RSA1_5 key management algorithm inside application configurations.
• Transition JWE implementations to use RSA-OAEP algorithms such as RSA-OAEP-256.

Remediation Steps:

1. Identify all current references to 'web-token/jwt-library' or 'web-token/jwt-framework' in the composer.json file.
2. Execute 'composer update web-token/jwt-framework web-token/jwt-library --with-dependencies' to pull the secure patched versions.
3. Review the instantiation of your JWE AlgorithmManager and remove the class 'Jose\Component\Encryption\Algorithm\KeyEncryption\RSA15' from the enabled key encryption algorithm array.
4. Redeploy the application to production and monitor server logs for any anomalies or unexpected JWE parsing errors.

References

• GitHub Security Advisory GHSA-5739-39V2-5754
• Library Advisory Details
• FriendsOfPHP Advisory Mapping
• Mitigating Pull Request (PR #652)
• Release Tag 3.4.10
• Release Tag 4.0.7
• Release Tag 4.1.7

---

Read the full report for GHSA-5739-39V2-5754 on our website for more details including interactive diagrams and full exploit analysis.