php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.
The strcmp function compares strings character by character and stops when it encounters the first difference, causing response time variability depending on the number of correct characters at the beginning of the compared string. An attacker can measure the server's response time for successive attempts and gradually guess the correct JWT token value based on this information. This type of vulnerability, called timing side channel (CWE-203), allows secret recovery without direct access to its value. A secure implementation should use constant-time comparison.
An attacker can bypass the JWT token-based authentication mechanism and gain unauthorized access to protected application resources, threatening the confidentiality, integrity, and availability of the system.
Apply patches available from the vendor according to references. It is recommended to replace the strcmp function with a constant-time comparison function (e.g., hash_equals in PHP) in all places where JWT tokens are verified.
Zihanggao php-jwt version 1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZihanggao PHP Jwt
APPZihanggao1.0.0