{"uuid": "9f1379fa-cd1b-40e9-b64d-29b25bf3eb0f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-5739-39v2-5754", "type": "seen", "source": "https://gist.github.com/alon710/c128a0f63af7d1e750d123d65278758d", "content": "# GHSA-5739-39V2-5754: GHSA-5739-39V2-5754: Bleichenbacher / Marvin Padding Oracle in PHP JWE Decryption (RSAES-PKCS1-v1_5)\n\n&gt; **CVSS Score:** 6.3\n&gt; **Published:** 2026-06-18\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-5739-39V2-5754\n\n## Summary\nAn observable timing discrepancy vulnerability in the web-token/jwt-framework library allows unauthenticated remote attackers to perform a Bleichenbacher / Marvin padding oracle attack against JWE tokens using the RSAES-PKCS1-v1_5 algorithm. By failing to perform constant-time implicit rejection on PKCS#1 v1.5 padding failures, the decryption process leaks structural validation errors via exceptions and early returns, exposing the wrapped Content Encryption Key (CEK) to cryptographic recovery.\n\n## TL;DR\nA timing side-channel in PHP's jwt-framework RSA1_5 key decryption utility leaks validation success and failure. Remote, unauthenticated attackers can exploit this timing discrepancy to recover the JWE Content Encryption Key (CEK) via a Bleichenbacher / Marvin padding oracle attack.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability ID**: GHSA-5739-39V2-5754\n- **CWE ID**: CWE-208\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 6.3 (Medium)\n- **Exploit Status**: Proof-of-Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- web-token/jwt-library\n- web-token/jwt-framework\n- **web-token/jwt-library**: &lt; 3.4.10 (Fixed in: `3.4.10`)\n- **web-token/jwt-library**: &gt;= 4.0.0, &lt; 4.0.7 (Fixed in: `4.0.7`)\n- **web-token/jwt-library**: &gt;= 4.1.0, &lt; 4.1.7 (Fixed in: `4.1.7`)\n- **web-token/jwt-framework**: &lt;= 4.1.6 (Fixed in: `4.1.7`)\n\n## Mitigation\n\n- Upgrade web-token/jwt-framework and web-token/jwt-library to patched versions (3.4.10+, 4.0.7+, 4.1.7+).\n- Disable the RSA1_5 key management algorithm inside application configurations.\n- Transition JWE implementations to use RSA-OAEP algorithms such as RSA-OAEP-256.\n\n**Remediation Steps:**\n1. Identify all current references to 'web-token/jwt-library' or 'web-token/jwt-framework' in the composer.json file.\n2. Execute 'composer update web-token/jwt-framework web-token/jwt-library --with-dependencies' to pull the secure patched versions.\n3. Review the instantiation of your JWE AlgorithmManager and remove the class 'Jose\\Component\\Encryption\\Algorithm\\KeyEncryption\\RSA15' from the enabled key encryption algorithm array.\n4. Redeploy the application to production and monitor server logs for any anomalies or unexpected JWE parsing errors.\n\n## References\n\n- [GitHub Security Advisory GHSA-5739-39V2-5754](https://github.com/advisories/GHSA-5739-39V2-5754)\n- [Library Advisory Details](https://github.com/web-token/jwt-framework/security/advisories/GHSA-5739-39v2-5754)\n- [FriendsOfPHP Advisory Mapping](https://github.com/FriendsOfPHP/security-advisories/blob/master/web-token/jwt-library/GHSA-5739-39v2-5754.yaml)\n- [Mitigating Pull Request (PR #652)](https://github.com/web-token/jwt-framework/pull/652)\n- [Release Tag 3.4.10](https://github.com/web-token/jwt-framework/releases/tag/3.4.10)\n- [Release Tag 4.0.7](https://github.com/web-token/jwt-framework/releases/tag/4.0.7)\n- [Release Tag 4.1.7](https://github.com/web-token/jwt-framework/releases/tag/4.1.7)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-5739-39V2-5754) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T22:41:42.000000Z"}