CVE-2021-46743 Overview
CVE-2021-46743 is an algorithm-confusion vulnerability in Firebase PHP-JWT before version 6.0.0. The flaw exists via the kid (Key ID) header when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key, potentially leading to authentication bypass and token forgery attacks. The vulnerability is classified as CWE-843 (Type Confusion), where the library may incorrectly process cryptographic material due to ambiguous algorithm selection.
Critical Impact
Attackers can exploit this algorithm-confusion issue to forge valid JWT tokens, bypassing authentication mechanisms and potentially gaining unauthorized access to protected resources.
Affected Products
- Google Firebase PHP-JWT versions prior to 6.0.0
Discovery Timeline
- 2022-03-29 - CVE CVE-2021-46743 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-46743
Vulnerability Analysis
This vulnerability stems from a type confusion condition in how Firebase PHP-JWT handles cryptographic key selection when multiple key types exist within a key ring. The root issue lies in the library's processing of the kid (Key ID) header parameter in JWT tokens combined with asymmetric/symmetric algorithm selection.
In a typical RS256/HS256 confusion attack, the library may be tricked into verifying an RS256-signed token using a public key as if it were an HS256 symmetric secret. When an application loads both RSA public keys and HMAC secrets into the same key ring, an attacker can craft a malicious token specifying HS256 as the algorithm while using the RS256 public key (which is often publicly available) as the HMAC secret. Since the public key is known, the attacker can generate valid HMAC signatures that the library incorrectly validates.
The network attack vector allows remote exploitation without authentication. When successfully exploited, this vulnerability enables attackers to forge authentication tokens that appear valid to the application, potentially leading to complete authentication bypass.
Root Cause
The vulnerability is caused by insufficient validation of the relationship between the specified algorithm in the JWT header and the type of cryptographic key retrieved from the key ring using the kid parameter. When the library looks up a key by its kid, it fails to properly enforce that the key type matches the algorithm being used for verification. This type confusion (CWE-843) allows RSA public keys to be misused as HMAC symmetric secrets.
Attack Vector
The attack exploits the network-accessible JWT verification mechanism. An attacker crafts a JWT with the following characteristics:
- Sets the alg header to HS256 instead of RS256
- Sets the kid header to reference a known RSA public key in the application's key ring
- Signs the token using the RSA public key as an HMAC secret
Since RSA public keys are often distributed or obtainable, the attacker can compute a valid HS256 signature. When the vulnerable library processes this token, it retrieves the RSA public key based on the kid, but treats it as an HMAC secret due to the alg header specifying HS256. The signature verification then succeeds, allowing forged tokens to be accepted as valid.
For detailed technical analysis of this vulnerability, refer to the GitHub Issue Discussion.
Detection Methods for CVE-2021-46743
Indicators of Compromise
- JWT tokens with HS256 algorithm that reference keys originally intended for RS256 operations
- Unexpected authentication events with valid tokens from unknown sources
- Anomalous kid header values in JWT tokens that don't match expected asymmetric key identifiers
Detection Strategies
- Monitor application logs for JWT verification failures followed by unexpected successful authentications
- Implement application-level logging to track the algorithm (alg) and key ID (kid) used in all JWT operations
- Deploy web application firewall rules to detect tokens with suspicious algorithm/key combinations
Monitoring Recommendations
- Audit authentication logs for sessions established via JWT tokens with mismatched algorithm expectations
- Monitor dependency management systems (Composer) for vulnerable PHP-JWT versions
- Review key ring configurations to identify applications using mixed key types that may be susceptible
How to Mitigate CVE-2021-46743
Immediate Actions Required
- Upgrade Firebase PHP-JWT to version 6.0.0 or later immediately
- Review and audit all JWT verification implementations using PHP-JWT
- Ensure algorithm whitelisting is properly configured to prevent algorithm confusion
- Avoid loading multiple key types into the same key ring where possible
Patch Information
The vulnerability has been addressed in Firebase PHP-JWT version 6.0.0. Organizations should update their Composer dependencies to pull the patched version. The fix implements stricter validation to ensure the key type matches the specified algorithm during token verification.
For additional context on the vulnerability and remediation, see the GitHub Issue Discussion.
Workarounds
- Explicitly specify the allowed algorithms when calling the decode function, rather than relying on the token's alg header
- Segregate key rings by algorithm type, ensuring RSA keys and HMAC secrets are never loaded into the same key ring
- Implement application-level validation to verify the algorithm matches expectations before passing tokens to the library
# Update Firebase PHP-JWT via Composer
composer require firebase/php-jwt:^6.0.0
# Verify installed version
composer show firebase/php-jwt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
