php · web-token/jwt-libraryHeads-up

web-token/jwt-library: RSACrypt::decryptWithRSA15() now uses implicit rejection to prevent padding oracle attacks

RSACrypt::decryptWithRSA15() now performs implicit rejection on invalid PKCS#1 v1.

19 Jun 2026Read 1 minSeverity: schedule it

What changed

RSACrypt::decryptWithRSA15() now performs implicit rejection on invalid PKCS#1 v1.5 padding, returning a random CEK of expected size in constant time, instead of throwing InvalidArgumentException. This removes the timing side channel that enabled Bleichenbacher/Marvin padding oracle attacks.

Who it affects

Applications that register RSA1_5 in their decryption AlgorithmManager and hold an RSA private key.

What to do today

Update to the patched version as soon as it is released; in the meantime, prefer RSA-OAEP or RSA-OAEP-256 and do not enable RSA1_5 for untrusted tokens.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · web-token/jwt-library

web-token/jwt-library: RSACrypt::decryptWithRSA15() now uses implicit rejection to prevent padding oracle attacks

What changed

Who it affects

What to do today

More on web-token/jwt-library

Grav CMS Backup Endpoint Exposes Admin Password Hashes and Full Installation

Kirby CMS Missing Authorization Check in Pages Field Picker