Brute Force Vulnerability in Ruby JSON Web Encryption Implementation by JWT
CVE-2025-54887

9.1CRITICAL

Key Information:

Vendor: Jwt
Status: Ruby-jwe
Vendor: CVE Published:; 8 August 2025

What is CVE-2025-54887?

The jwe library, which implements the JSON Web Encryption standard for Ruby, has a vulnerability in versions 1.1.0 and earlier that allows an attacker to brute force authentication tags of encrypted JSON Web Encryptions (JWEs). This vulnerability threatens the confidentiality of sensitive data contained in JWEs, enabling attackers to manipulate or craft arbitrary JWEs. Even users not employing the AES-GCM encryption algorithm are at risk due to potential exposure of the GCM internal GHASH key. It is essential for users to rotate their encryption keys following an upgrade to version 1.1.1, where this issue has been resolved.

Affected Version(s)

ruby-jwe < 1.1.1

References

https://github.com/jwt/ruby-jwe/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/jwt/ruby-jwe/commit/1e719d79ba3d7aadaa...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2025
Vulnerability Reserved
Jul 31, 2025

Jwt

What is CVE-2025-54887?

Affected Version(s)

References

CVSS V3.1

Timeline