CVE-2018-1000025

Name of the Vulnerable Software and Affected Versions: Firebase Admin SDK for PHP versions 3.2.0 through 3.8.0

Description: The issue is related to an Incorrect Access Control vulnerability in the src/Firebase/Auth/IdTokenVerifier.php file, which does not verify token signatures. This can result in JWT tokens being forged with any email address and user ID, either from an actual token or created from scratch. The attack is exploitable if the attacker knows the email address of the victim in most cases.

Recommendations: For versions 3.2.0 through 3.8.0, update to version 3.8.1 to resolve the issue.