Skip to content

vonage-7.2.0.gem: 1 vulnerabilities (highest severity is: 9.1) #11

Description

@mend-for-github-com
Vulnerable Library - vonage-7.2.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/jwt-2.2.2.gem

Found in HEAD commit: b4a20724d6dd11e52f4677c251d1a94c978e4363

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (vonage version) Remediation Possible** Reachability
CVE-2026-45363 Critical 9.1 Not Defined 0.018% jwt-2.2.2.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-45363

Vulnerable Library - jwt-2.2.2.gem

A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.

Library home page: https://rubygems.org/gems/jwt-2.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/jwt-2.2.2.gem

Dependency Hierarchy:

  • vonage-7.2.0.gem (Root Library)
    • nexmo-jwt-0.1.1.gem
      • jwt-2.2.2.gem (Vulnerable Library)

Found in HEAD commit: b4a20724d6dd11e52f4677c251d1a94c978e4363

Found in base branch: main

Vulnerability Details

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token because OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key and no empty-key precondition exists in the HMAC algorithm. The same path is reached when a keyfinder block or key_finder: argument returns an empty string, nil, or an array containing nil for an unknown key, affecting HS256, HS384, and HS512 verification through JWT.decode and JWT::EncodedToken#verify_signature!. This issue is fixed in versions 2.10.3 and 3.2.0.

Publish Date: 2026-07-14

URL: CVE-2026-45363

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.018%

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-18

Fix Resolution: https://github.com/jwt/ruby-jwt.git - v3.2.0

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions