Login Sign Up

CVE-2021-46743

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-46743 is an algorithm confusion vulnerability in Firebase PHP-JWT library that allows attackers to forge JWT tokens by exploiting key ID (kid) header mismatches when multiple key types are loaded. This enables authentication bypass and privilege escalation in applications using vulnerable versions. Any PHP application using firebase/php-jwt library with mixed key types is affected.

💻 Affected Systems

Products:
  • firebase/php-jwt
Versions: All versions before 6.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires loading multiple key types (RS256 and HS256) in key ring and using kid header

📦 What is this software?

Firebase Php Jwt by Google

View all CVEs affecting Firebase Php Jwt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via admin privilege escalation, data exfiltration, and unauthorized access to all protected resources

🟠

Likely Case

Authentication bypass leading to unauthorized access to user accounts and protected API endpoints

🟢

If Mitigated

Limited impact with proper key validation and algorithm enforcement

🌐 Internet-Facing: HIGH - JWT tokens are commonly used in public APIs and web applications
🏢 Internal Only: MEDIUM - Internal applications using JWT authentication remain vulnerable

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of public key and ability to forge tokens

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0 and later

Vendor Advisory: https://github.com/firebase/php-jwt/security/advisories/GHSA-5p8f-5jgv-5wq5

Restart Required: No

Instructions:

1. Update composer.json to require 'firebase/php-jwt: ^6.0.0' 2. Run 'composer update firebase/php-jwt' 3. Verify update with 'composer show firebase/php-jwt'

🔧 Temporary Workarounds

Enforce algorithm validation

all

Explicitly validate algorithm in JWT verification to prevent confusion attacks

// PHP code: $decoded = JWT::decode($jwt, $key, ['RS256']); // Explicitly specify algorithm

Separate key rings

all

Use separate key management for different algorithm types

// PHP code: Store RS256 and HS256 keys in separate arrays/objects

🧯 If You Can't Patch

  • Implement strict algorithm validation in all JWT decode calls
  • Use single algorithm type per application to avoid key confusion

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or run 'composer show firebase/php-jwt' and verify version is below 6.0.0

Check Version:

composer show firebase/php-jwt | grep version

Verify Fix Applied:

Confirm version is 6.0.0 or higher with 'composer show firebase/php-jwt | grep version'

📡 Detection & Monitoring

Log Indicators:

  • Failed JWT validations with algorithm mismatch errors
  • Unexpected successful authentications with modified tokens

Network Indicators:

  • JWT tokens with modified kid headers
  • Authentication requests with unexpected algorithm types

SIEM Query:

source="application.logs" AND ("JWT validation failed" OR "algorithm mismatch")

📊 Metadata

CVE ID: CVE-2021-46743
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-843
Published: March 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46743, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)