9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54887

GHSA ID

GHSA-c7p4-hx26-pr73

EPSS Score

CWE

CWE-354

Published

8/7/2025

Updated

8/7/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54887

CVE-2025-54887: JWE is missing AES-GCM authentication tag validation in encrypted JWE

Overview

The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs.

Impact

JWEs can be modified to decrypt to an arbitrary value
JWEs can be decrypted by observing parsing differences
The GCM internal GHASH key can be recovered

Am I Affected?

You are affected by this vulnerability even if you do not use an AES-GCM encryption algorithm for your JWEs.

Patches

The version 1.1.1 fixes the issue by adding the tag length check for the AES-GCM algorithm.

Important: As the GHASH key could have leaked, you must rotate the encryption keys after upgrading to version 1.1.1.

References

Félix Charette talk at NorthSec 2025 about the issue

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54887

GHSA ID

GHSA-c7p4-hx26-pr73

EPSS Score

CWE

CWE-354

Published

8/7/2025

Updated

8/7/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jwe	rubygems	<= 1.1.0	1.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability is a critical flaw in the JWE decryption process for the AES-GCM encryption algorithm. Specifically, the code failed to validate the length of the authentication tag before using it in the decryption cipher. This omission allows for a practical brute-force attack on the tag. An attacker can submit JWEs with incrementally guessed tags and, by observing the server's responses, can reconstruct the full, valid authentication tag. A successful attack not only allows the decryption of sensitive information but also enables the attacker to recover the internal GHASH key, which grants them the ability to forge arbitrary JWEs that will be accepted as valid. The patch addresses this by introducing a strict length check on the authentication tag within the JWE::Enc::AesGcm.setup_cipher method, which is called by the JWE::Enc::AesGcm.decrypt method, thus closing the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w T** *ut**nti**tion t** o* *n*rypt** JW*s **n ** *rut* *or***, w*i** m*y r*sult in loss o* *on*i**nti*lity *or t*os* JW*s *n* provi** w*ys to *r**t *r*itr*ry JW*s. ### Imp**t - JW*s **n ** mo*i*i** to ***rypt to *n *r*itr*ry v*lu* - JW*s

Reasoning

T** s**urity vuln*r**ility is * *riti**l *l*w in t** JW* ***ryption pro**ss *or t** **S-**M *n*ryption *l*orit*m. Sp**i*i**lly, t** *o** **il** to v*li**t* t** l*n*t* o* t** *ut**nti**tion t** ***or* usin* it in t** ***ryption *ip**r. T*is omission *

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-54887: JWE is missing AES-GCM authentication tag validation in encrypted JWE

Overview

Impact

Am I Affected?

Patches

References

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI