CVE-2024-25189: 
NixOS vulnerability analysis and mitigation

CVE-2024-25189 affects libjwt version 1.15.3, a C library for handling JWT (JSON Web Token). The vulnerability was disclosed in February 2024 and involves the use of strcmp() for authentication verification, which operates in non-constant time (NVD, Debian Security).

The vulnerability exists in the jwt_verify_sha_hmac function of jwt-wincrypt.c, which implements the HS256 algorithm signature comparison. The function uses strcmp to compare the calculated signature with the provided JWT signature, which is not a time-safe comparison function. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, GitHub CVE).

The non-constant time comparison makes the authentication system vulnerable to timing side-channel attacks. An attacker can potentially learn the correct signature by analyzing the time differences in comparison operations, ultimately leading to authentication bypass (NVD).

Fixed versions have been released for various Debian distributions: version 1.10.2-1+deb11u1 for bullseye, 1.10.2-1+deb12u1 for bookworm, and 1.17.2-1 for sid and trixie. Users are recommended to upgrade their libjwt packages to these patched versions (Debian Security, Debian LTS).