web-token/jwt-framework: Unprotected header override of 'alg' in JWSVerifier and JWEDecrypter
JWSVerifier::getAlgorithm() merges protected and unprotected headers using spread operator, allowing unprotected header to override the integrity-protected 'alg' parameter.
What changed
JWSVerifier::getAlgorithm() merges protected and unprotected headers using spread operator, allowing unprotected header to override the integrity-protected 'alg' parameter. Same issue in JWEDecrypter.php with array_merge().
Who it affects
All applications using web-token/jwt-framework that rely on JWSVerifier or JWEDecrypter for signature verification or decryption, especially those with mixed key sets or without HeaderCheckerManager.
What to do today
Apply the provided fix: modify JWSVerifier::getAlgorithm() to read 'alg' exclusively from the protected header, and fix JWEDecrypter to use protected header values for 'alg' and 'enc'.