CVE-2025-45765

CRITICAL

ruby-jwt v3.0.0.beta1 - Info Disclosure

Title source: llm

Description

ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."

References (2)

[Various Sources] https://gist.github.com/ZupeiNie/c621253068ce5b64911629534879e8f9

[Issue Tracking] https://github.com/jwt/ruby-jwt/issues/668

Scores

CVSS v3 9.1

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-326

Status published

Published Aug 07, 2025

Tracked Since Feb 18, 2026