PT-2026-41777 · Rubygems · Ruby-Jwt
Published
2026-05-13
·
Updated
2026-05-18
·
CVE-2026-45363
CVSS v2.0
7.6
High
| Vector | AV:N/AC:H/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ruby-jwt (affected versions not specified)
Description
A flaw in the authentication procedure allows the library to accept forged tokens when an empty string is used as the verification key. This occurs because the HMAC algorithm lacks a precondition to reject empty keys, and
OpenSSL::HMAC.digest returns a valid digest under these conditions. The issue affects HS256, HS384, and HS512 algorithms via JWT.decode (using both positional keys and block keyfinders) and the verify signature! function. This can be triggered when keyfinder blocks or arguments return an empty string, or when applications use patterns that result in empty strings, such as ENV['SECRET'] || '' or ORM columns with empty string defaults. Exploitation of this issue may lead to a denial of service.Recommendations
Enable the
enforce hmac key length option to block the use of empty keys.
Avoid using empty strings as keys in JWT.decode() or within keyfinder blocks.
Ensure that keyfinder blocks return nil or raise an error instead of returning an empty string when a key is not found.Exploit
Fix
Inadequate Encryption Strength
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ruby-Jwt