firebase/php-jwt@6.11.1 Vulnerability issue

[maheshv546]

Detailed paths
Introduced through: voya/drupal-platform@0.0.0 › drupal/apigee_edge@3.0.11 › apigee/apigee-client-php@3.0.9 › firebase/php-jwt@6.11.1

Security information
Factors contributing to the scoring:

• Snyk: CVSS v4.0 6.3 - Medium Severity | CVSS v3.1 5.6 - Medium Severity

• NVD: Not available. NVD has not yet published its analysis.

Overview
Affected versions of this package are vulnerable to Inadequate Encryption Strength due to the HMAC and RSA key lengths used in the JSON Web Signature (JWS) implementation not meeting recommended security standards.

Also need confirmation on this

• Is it using HS256 with a short or guessable secret?
• Is it configured to allow "none" algorithm?
• Is it using RSA or ECDSA with a strong key?
• All JWTs are issued/consumed only by trusted and secure parties?
• Upstream packages configure JWT securely.

[divya-intelli]

Thank you @maheshv546 for reporting the security vulnerability in the firebase/php-jwt package.
We will investigate this issue and will share further details soon.

[divya-intelli]

Hi @maheshv546 ,
We found that this issue is currently under discussion in the firebase/php-jwt repository (firebase/php-jwt#605). We plan to update the firebase/php-jwt version within apigee-client-php once the new version containing the fix is released.

[maheshv546]

Thanks for the update @divya-intell, please update us when the new version with the fix is released.

[maheshv546]

@divya-intelli when can we expect a fix for this issue.

[divya-intelli]

@maheshv546 , still waiting for firebase/php-jwt#605 to be merged. Will follow up on the pull request and update this thread immediately once the issue is resolved.

[shailesh-google]

Hello @maheshv546,

Thank you for bringing this to our attention. We have addressed the firebase/php-jwt security vulnerability (CVE-2025-45769) by upgrading the dependency to latest version ^7.0, which includes the necessary programmatic checks for encryption strength.

We have prepared two Pull Requests to cover both currently supported Drupal environments:

Drupal 10: apigee-client-php PR #454

Drupal 11: apigee-client-php PR #455

[maheshv546]

@divya-intelli We are using apigee_edge 3.0.13 module which requires apigee/apigee-client-php (~3.0.10)
this apigee/apigee-client-php 3.0.10 requires firebase/php-jwt (^6.0) so not getting how to update this to 7.0

We have specified in composer.lock "firebase/php-jwt": "^6.0",

[shishir-intelli]

Hi @maheshv546

We have already created a Pull Request to add support for firebase/php-jwt: ^7.0 in the client library: PR #454: Add support for firebase/php-jwt v7 for 3.x branch
This PR is currently under review. Once it is merged and a new version of the library is tagged, the restriction will be lifted.
After the release, you will be able to update your environment by running composer update.

We will notify you here once the PR is merged and the new release is available for update.

If you would like to test these changes immediately in your environment, you can apply the changes from the PR as a patch to your current installation. You can find the raw patch file here: https://github.com/apigee/apigee-client-php/pull/454.patch and then run composer update.