Advisories for Composer/Gree/Jose package

2024
2019

Key confusion attack

The PHP JOSE Library is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

2016
2015

JWT Verification bypass

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)".