title: Auth tag forgery vulnerability with AES-GCM encrypted JWT
Ruby's OpenSSL bindings do not check the length of the supplied
authentication tag when decrypting an authenticated encryption mode
such as AES-GCM, leaving this up to the authors of a gem/app to
implement for properly validating the message.
json-jwt was not checking for the authentication tag length, meaning
that with a one byte tag the JWT would be considered not tampered
with. This means that with an average of 128 (max 256) attempts an
attacker can forge a valid signature.
- "< 0.5.1"
- ">= 1.9.4"