Update your namshi/jose installations as a security vulnerability was found

Just a heads up on a problem we’ve found thanks to Tim, who has been reviewing some open source JWT / JWS implementations for fun.

Two days ago we rolled out a few new tags for the namshi/jose which fix a security vulnerability on the library.

The problem was introduced in this PR and would cause an attacker to be able to impersonate other users. If you are running on a vulnerable version you should upgrade immediately.

As far as installations are concerned:

  • 1.0 is not affected
  • 1.1 has been patched through 1.1.2
  • 1.2 has been patched through 1.2.2
  • 2.0 has been patched through 2.0.3
  • 2.1 has been patched through 2.1.2

Please check your composer.lock and composer.json: if you run a vulnerable version simply do a composer update so that you’ll be upgraded to a patched version.

Users of the LexikJwtAuthenticationBundle can do the same as the library requires namshi/jose@~1.1.

We also opened a PR against the database of PHP security vulnerabilities rrun by the FriendsOfPHP organization, so you should be able to notice the issue through the Sensio security checker soon!