Arokettu

**Name of the Vulnerable Software and Affected Versions** lcobucci/jwt versions prior to 3.4.6 lcobucci/jwt versions prior to 4.0.4 lcobucci/jwt versions prior to 4.1.5 **Description** The issue affects users of HMAC-based algorithms, specifically HS256, HS384, and HS512, when combined with `LcobucciJWTSignerKeyLocalFileReference` as the key. Instead of using the file contents for hashing, the file path is used, which can lead to improper token issuance and validation. The HMAC hashing functions can take any string as input, making it seem like everything works properly. **Recommendations** For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 4.0.4, update to version 4.0.4 or later. For versions prior to 4.1.5, update to version 4.1.5 or later. As a temporary workaround, consider using `LcobucciJWTSignerKeyInMemory` instead of `LcobucciJWTSignerKeyLocalFileReference` to create instances of your keys. Replace `use LcobucciJWTSignerKeyLocalFileReference;` with `use LcobucciJWTSignerKeyInMemory;` and update key creation from `$key = LocalFileReference::file( DIR . '/public-key.pem');` to `$key = InMemory::file( DIR . '/public-key.pem');`.