The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.
{
"cpe": "cpe:2.3:a:emarref:jwt:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}