CVE-2025-45765: 
Linux Debian vulnerability analysis and mitigation

Ruby-JWT v3.0.0.beta1 was discovered to contain weak encryption related to HMAC and RSA key lengths in JSON Web Signature (JWS) implementation. The vulnerability, tracked as CVE-2025-45765, was identified in July 2025. However, this is a disputed vulnerability as the supplier maintains that key size enforcement is not handled by the library itself but rather by the underlying OpenSSL implementation in recent versions (Red Hat CVE, GitHub Issue).

The vulnerability concerns the implementation of cryptographic key lengths in the Ruby-JWT library that reportedly do not meet recommended security standards according to RFC 7518, NIST SP800-117, and RFC 2437. The issue specifically relates to HMAC and RSA key lengths used in the JSON Web Signature (JWS) implementation. The library does not enforce key lengths for HMAC or RSA algorithms, except where required by RSA/PS (GitHub Gist, Red Hat CVE).

The potential impact of this vulnerability is related to inadequate encryption strength (CWE-326), which could theoretically lead to security vulnerabilities if implementers use insufficient key lengths. However, since the key size enforcement is handled by the underlying OpenSSL implementation in recent versions, the actual impact depends on how the library is used rather than a flaw in the library's code (Red Hat CVE).

No specific mitigation is required from the library perspective as key size enforcement is handled by the underlying OpenSSL implementation in recent versions. Users should ensure they are using appropriate key lengths as recommended by security standards (RFC 7518, NIST SP800-117, RFC 2437) in their implementations (Red Hat CVE).