CVE-2021-41106

Name of the Vulnerable Software and Affected Versions lcobucci/jwt versions prior to 3.4.6 lcobucci/jwt versions prior to 4.0.4 lcobucci/jwt versions prior to 4.1.5

Description The issue affects users of HMAC-based algorithms, specifically HS256, HS384, and HS512, when combined with LcobucciJWTSignerKeyLocalFileReference as the key. Instead of using the file contents for hashing, the file path is used, which can lead to improper token issuance and validation. The HMAC hashing functions can take any string as input, making it seem like everything works properly.

Recommendations For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 4.0.4, update to version 4.0.4 or later. For versions prior to 4.1.5, update to version 4.1.5 or later. As a temporary workaround, consider using LcobucciJWTSignerKeyInMemory instead of LcobucciJWTSignerKeyLocalFileReference to create instances of your keys. Replace use LcobucciJWTSignerKeyLocalFileReference; with use LcobucciJWTSignerKeyInMemory; and update key creation from $key = LocalFileReference::file( DIR . '/public-key.pem'); to $key = InMemory::file( DIR . '/public-key.pem');.