Problem/Motivation

The version of firebase/php-jwt that the login_gov module requires is no longer considered a secure release due to https://github.com/advisories/GHSA-2x45-7fc3-mxwq. Cannot manually upgrade the firebase/php-jwt package to a secure version due to dependency in login_gov module.

Steps to reproduce

Try to upgrade the package with `composer update firebase/php-jwt`. Notice the dependency issue preventing update.

Proposed resolution

* Update firebase/php-jwt requirement in this project's composer.json to a supported, secure version (< 7.0.0 at time of writing this).
* Ensure module functionality still works with new library release.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork login_gov-3574365

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

timwood created an issue. See original summary.

phernand42’s picture

phernand42 commented

Was looking into this more and it seems this particular issue/vulnerability is disputed by NVD.

https://nvd.nist.gov/vuln/detail/CVE-2025-45769

After looking at the following GitHub issue, this isn't really a vulnerability for libraries using RSA keys (like the login.gov module does), since the issue is specifically about accepting short HMAC key lengths without validation. One recommendation is to simply ignore the CVE. Then the following will get added to composer.json file

composer config -jm audit.ignore '{"CVE-2025-45769":"disputed"}'

"audit": {
    "ignore": {
        "CVE-2025-45769": "disputed"
    }
}

nickolaj made their first commit to this issue’s fork.

nickolaj opened merge request !5

nickolaj’s picture

nickolaj
Primary language Ukrainian
commented
Status: Active » Needs review

Updated composer.json to require firebase/php-jwt ^7.0. The module's API usage (JWT::encode, JWT::decode, JWK::parseKeySet) is fully compatible with v7.x without code changes.