CRITICAL🇵🇱 Wersja polska

CVE-2024-25191

CVSS 9.8v3.1pub. 2024-02-08upd. 2025-06-12

php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

🤖 AI Analysis
How it works

The strcmp function compares strings character by character and stops when it encounters the first difference, causing response time variability depending on the number of correct characters at the beginning of the compared string. An attacker can measure the server's response time for successive attempts and gradually guess the correct JWT token value based on this information. This type of vulnerability, called timing side channel (CWE-203), allows secret recovery without direct access to its value. A secure implementation should use constant-time comparison.

Impact

An attacker can bypass the JWT token-based authentication mechanism and gain unauthorized access to protected application resources, threatening the confidentiality, integrity, and availability of the system.

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to replace the strcmp function with a constant-time comparison function (e.g., hash_equals in PHP) in all places where JWT tokens are verified.

Who is affected

Zihanggao php-jwt version 1.0.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zihanggao PHP Jwt

    APP
    Zihanggao
    1.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References