CVE-2025-45770
low-risk
Published 2025-07-31
jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
Do I need to act?
-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.0/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Jwt
Affected Vendors
References (3)
Third Party Advisory
https://gist.github.com/ZupeiNie/cd88c827eef11a1618f8baacccd240fb
Product
https://github.com/lcobucci
Product
https://github.com/lcobucci/jwt
26
/ 100
low-risk
Severity
21/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal