Skip to content

Update jwe to patch vulnerability#12414

Merged
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/update-jwe
Aug 11, 2025
Merged

Update jwe to patch vulnerability#12414
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/update-jwe

Conversation

@mitchellhenke
Copy link
Contributor

@mitchellhenke mitchellhenke commented Aug 8, 2025

🛠 Summary of changes

Addresses a recently published vulnerability in jwe.

$ bundle audit
Name: jwe
Version: 0.4.0
CVE: CVE-2025-54887
GHSA: GHSA-c7p4-hx26-pr73
Criticality: Critical
URL: https://github.com/jwt/ruby-jwe/security/advisories/GHSA-c7p4-hx26-pr73
Title: JWE is missing AES-GCM authentication tag validation in encrypted JWE
Solution: update to '>= 1.1.1'

Vulnerabilities found!

@mitchellhenke mitchellhenke requested a review from a team August 8, 2025 17:49
Update jwe to patch vulnerability
936c844 
changelog: Internal, Maintenance, Update jwe to patch vulnerability
@mitchellhenke mitchellhenke force-pushed the mitchellhenke/update-jwe branch from 8257f9e to 936c844 Compare August 11, 2025 13:05
@mitchellhenke mitchellhenke merged commit b0e062a into main Aug 11, 2025
1 check passed
@mitchellhenke mitchellhenke deleted the mitchellhenke/update-jwe branch August 11, 2025 14:15
@vrajmohan vrajmohan mentioned this pull request Aug 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdiarra3 mdiarra3 mdiarra3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mitchellhenke @mdiarra3