GHSA-JC38-X7X8-2XC8: GHSA-jc38-x7x8-2xc8: Algorithm Confusion and Header Override Vulnerability in PHP JWT Framework

GHSA-jc38-x7x8-2xc8: Algorithm Confusion and Header Override Vulnerability in PHP JWT Framework

Vulnerability ID: GHSA-JC38-X7X8-2XC8
CVSS Score: 8.1
Published: 2026-06-18

An algorithm confusion vulnerability exists in the PHP JWT Framework (web-token/jwt-library) where the JWSVerifier and JWEDecrypter components merge integrity-protected and unprotected headers using insecure methods. Under specific conditions, duplicate parameters defined in unprotected headers override those in integrity-protected headers, allowing an attacker to bypass cryptographic signature verification.

TL;DR

A flaw in the way PHP JWT Framework merges headers allows parameters in unprotected headers to overwrite those in protected headers, leading to cryptographic signature bypass via algorithm confusion.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-345 (Active Verification of Cryptographic Signature)
• Attack Vector: Network (AV:N)
• CVSS v4.0 Score: 8.1
• Exploit Status: Proof of Concept
• Vulnerability Type: Cryptographic Bypass / Algorithm Confusion
• Affected Component: JWSVerifier and JWEDecrypter

Affected Systems

• PHP JWT Framework (web-token/jwt-framework) under web-token/jwt-library component
• web-token/jwt-library: < 3.4.10 (Fixed in: 3.4.10)
• web-token/jwt-library: >= 4.0.0, < 4.0.7 (Fixed in: 4.0.7)
• web-token/jwt-library: >= 4.1.0, < 4.1.7 (Fixed in: 4.1.7)

Mitigation Strategies

• Upgrade the web-token/jwt-library dependency to version 3.4.10, 4.0.7, or 4.1.7 depending on the base release in use.
• Separate asymmetric (RSA/ECDSA) keys and symmetric (HMAC) keys into distinct JWKS key sets to prevent cross-protocol key reuse.
• Configure HeaderCheckerManager to strictly validate that critical algorithm headers exist only within integrity-protected containers.

Remediation Steps:

1. Locate the composer.json file in the application root directory.
2. Update the web-token/jwt-framework or web-token/jwt-library version constraints to point to the patched releases.
3. Execute the dependency manager command 'composer update web-token/jwt-library' to pull the secure version.
4. Search the codebase for manual configurations of JWKSet to confirm that public verification keys are segregated from secret symmetric keys.

References

• GitHub Security Advisory GHSA-jc38-x7x8-2xc8
• OSV Vulnerability Record for GHSA-jc38-x7x8-2xc8
• PHP JWT Framework Security Advisory on GitHub
• FriendsOfPHP Security Advisory Metadata
• PHP JWT Framework Repository

---

Read the full report for GHSA-JC38-X7X8-2XC8 on our website for more details including interactive diagrams and full exploit analysis.