Miggo Logo
Miggo Vulnerability Database
CVE-2025-54887

CVE-2025-54887: JWE is missing AES-GCM authentication tag validation in encrypted JWE

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-54887
GHSA ID
GHSA-c7p4-hx26-pr73
EPSS Score
-
CWE
CWE-354
Published
8/7/2025
Updated
8/7/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
jwerubygems<= 1.1.01.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security vulnerability is a critical flaw in the JWE decryption process for the AES-GCM encryption algorithm. Specifically, the code failed to validate the length of the authentication tag before using it in the decryption cipher. This omission allows for a practical brute-force attack on the tag. An attacker can submit JWEs with incrementally guessed tags and, by observing the server's responses, can reconstruct the full, valid authentication tag. A successful attack not only allows the decryption of sensitive information but also enables the attacker to recover the internal GHASH key, which grants them the ability to forge arbitrary JWEs that will be accepted as valid. The patch addresses this by introducing a strict length check on the authentication tag within the JWE::Enc::AesGcm.setup_cipher method, which is called by the JWE::Enc::AesGcm.decrypt method, thus closing the vulnerability.

Vulnerable functions

JWE::Enc::AesGcm.setup_cipher
lib/jwe/enc/aes_gcm.rb
This function is responsible for configuring the decryption cipher. The vulnerability lies in the fact that, before the patch, it would assign the authentication tag provided by the user to the cipher without first validating its length. This flaw allows an attacker to submit a tag of incorrect length. By observing the resulting error or lack thereof, the attacker can incrementally guess the correct authentication tag, which can ultimately lead to the recovery of the GHASH key, compromising the confidentiality and integrity of the encrypted data.
JWE::Enc::AesGcm.decrypt
lib/jwe/enc/aes_gcm.rb
This method is the entry point for the decryption process. It calls the `setup_cipher` method, where the vulnerability existed. Any attempt to exploit this vulnerability would involve calling this `decrypt` function with a specially crafted JWE that includes a malformed authentication tag.

WAF Protection Rules

WAF Rule

### Ov*rvi*w T** *ut**nti**tion t** o* *n*rypt** JW*s **n ** *rut* *or***, w*i** m*y r*sult in loss o* *on*i**nti*lity *or t*os* JW*s *n* provi** w*ys to *r**t *r*itr*ry JW*s. ### Imp**t - JW*s **n ** mo*i*i** to ***rypt to *n *r*itr*ry v*lu* - JW*s

Reasoning

T** s**urity vuln*r**ility is * *riti**l *l*w in t** JW* ***ryption pro**ss *or t** **S-**M *n*ryption *l*orit*m. Sp**i*i**lly, t** *o** **il** to v*li**t* t** l*n*t* o* t** *ut**nti**tion t** ***or* usin* it in t** ***ryption *ip**r. T*is omission *