[GHSA-9gxv-x7rp-r2hc] gree/jose - "None" Algorithm treated as valid in tokens#8014
Open
RainSignal wants to merge 1 commit into
Open
[GHSA-9gxv-x7rp-r2hc] gree/jose - "None" Algorithm treated as valid in tokens#8014RainSignal wants to merge 1 commit into
RainSignal wants to merge 1 commit into
Conversation
Copilot stopped work on behalf of
RainSignal due to an error
June 11, 2026 18:07
github-actions
Bot
changed the base branch from
main
to
RainSignal/advisory-improvement-8014
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
Comments
The advisory states no solution is available, but version 2.2.1
contains a fix. The patch can be verified at:
https://github.com/nov/jose-php/blob/2.2.1/src/JOSE/JWS.php
The fix in 2.2.1 addresses the algorithm confusion attack in
_verify() by adding a $using_autodetected_alg flag. When the
algorithm is auto-detected from the JWT header (i.e. $expected_alg
is not explicitly provided by the caller), HMAC algorithms (HS256,
HS384, HS512) are now explicitly rejected with an exception:
"HMAC algs MUST be explicitly specified as $expected_alg"
This prevents attackers from changing the algorithm in the JWT
header from RS256 to HS256 and using the public key as the HMAC
secret to forge a valid signature.
Version 2.2.1 also fixes a timing attack vulnerability by replacing
direct string comparison (===) with hash_equals() for HMAC
signature verification, preventing timing-based side-channel attacks.
The current description refers to vulnerabilities in other JWT
libraries (node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, jsjwt)
and does not describe the actual vulnerability in gree/jose. The
correct description should be:
The _verify() method in JOSE_JWS trusts the algorithm specified
in the JWT header when $expected_alg is not explicitly provided
by the caller. This allows an attacker to change the algorithm
from RS256 to HS256 in the token header and sign the token using
the server's public key as the HMAC secret, bypassing signature
verification entirely.