Security: Vulnerable `firebase/php-jwt` constraint — CVE-2025-45769 (High)

## Security: Vulnerable `firebase/php-jwt` constraint — CVE-2025-45769 (High)

### Summary

The current `composer.json` constrains `firebase/php-jwt` to `^6.1`, which resolves to any version `>=6.1 <7.0.0`. All versions in this range are affected by a known security vulnerability.

### Vulnerability Details

| Field | Value |
|---|---|
| Advisory ID | [PKSA-y2cr-5h3j-g3ys](https://packagist.org/security-advisories/PKSA-y2cr-5h3j-g3ys) |
| CVE | [CVE-2025-45769](https://nvd.nist.gov/vuln/detail/CVE-2025-45769) |
| GHSA | [GHSA-2x45-7fc3-mxwq](https://github.com/advisories/GHSA-2x45-7fc3-mxwq) |
| Severity | **High** (CVSS 7.3) |
| CWE | CWE-326 — Inadequate Encryption Strength |
| Affected versions | `firebase/php-jwt` < 7.0.0 |
| Fixed in | `firebase/php-jwt` 7.0.0 |

### Description

`firebase/php-jwt` v6.x was discovered to contain weak encryption. The vulnerability has a CVSS score of 7.3 (High) with network attack vector, low attack complexity, and no privileges or user interaction required.

### Affected Code

In `composer.json`:
```json
"firebase/php-jwt": "^6.1"
```

This constraint allows installation of any `6.x` release, all of which are vulnerable.

### Recommended Fix

Update the constraint to require `^7.0`:

```json
"firebase/php-jwt": "^7.0"
```

> ⚠️ Note: `firebase/php-jwt` v7.0 may include breaking changes. Please review the [v7.0.0 release notes](https://github.com/firebase/php-jwt/releases/tag/v7.0.0) and any usage of the library within the SDK before updating.

### References

- https://packagist.org/security-advisories/PKSA-y2cr-5h3j-g3ys
- https://github.com/advisories/GHSA-2x45-7fc3-mxwq
- https://nvd.nist.gov/vuln/detail/CVE-2025-45769
- https://github.com/firebase/php-jwt/releases/tag/v7.0.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Vulnerable `firebase/php-jwt` constraint — CVE-2025-45769 (High) #18