php · web-token/jwt-experimentalCritical
web-token/jwt-experimental: Chacha20Poly1305 AEAD downgrade to unauthenticated ChaCha20
The experimental Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag during encryption and does not verify it during decryption, degrading AEAD to unauthenticated ChaCha20.
What changed
The experimental Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag during encryption and does not verify it during decryption, degrading AEAD to unauthenticated ChaCha20. The fix publishes the tag as a 'tag' header parameter and verifies it.
Who it affects
Applications that register Jose\Experimental\KeyEncryption\Chacha20Poly1305 as a JWE 'alg' algorithm.
What to do today
Upgrade to the patched version immediately and do not use the experimental Chacha20Poly1305 algorithm for untrusted input until upgraded.
The trail
Collected→
Audited→
Written→
Published