Allows firebase 6.x to be installed and fixes insecure encryption issue.
firebase/php-jwt@5.5.1 is vulnerable to Insecure Encryption due to an algorithm-confusion issue (e.g., RS256 / HS256) that exists via the kid (aka Key ID) header when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. This vulnerability is fixed in firebase/php-jwt@6.0.0.
I tested this in my production project today which completely relies on Azure authentication, and found no issues. As far as I'm concerned the release can be tagged.
Allows firebase 6.x to be installed and fixes insecure encryption issue.
firebase/php-jwt@5.5.1 is vulnerable to Insecure Encryption due to an algorithm-confusion issue (e.g., RS256 / HS256) that exists via the kid (aka Key ID) header when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. This vulnerability is fixed in firebase/php-jwt@6.0.0.