Fix jwt-auth — CVE-2022-39356 HIGH
Fix CVE-2022-39356 (HIGH) in jwt-auth for PHP. Paste your composer.json into PackageFix and get a patched version — no CLI, no signup. Algorithm confusion attack allowing arbitrary jwt forging.
⚠ Vulnerability
CVE-2022-39356 (HIGH) — algorithm confusion attack allowing arbitrary JWT forging in jwt-auth below ^2.1.
Vulnerable — composer.json
"tymon/jwt-auth": "^1.0"
Fixed — composer.json
"tymon/jwt-auth": "^2.1"
✓ Fix
Update jwt-auth to ^2.1 and run composer install.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2022-39356 |
| Severity | HIGH |
| Package | jwt-auth (PHP) |
| Safe version | ^2.1 |
| CISA KEV | — |
| Description | Algorithm confusion attack allowing arbitrary jwt forging |
Frequently Asked Questions
What is CVE-2022-39356?
CVE-2022-39356 is a HIGH severity vulnerability in jwt-auth (PHP) that allows algorithm confusion attack allowing arbitrary JWT forging. Update to ^2.1 or later.
How do I fix CVE-2022-39356 in jwt-auth?
Update jwt-auth to version ^2.1 in your composer.json and run composer install.
Is CVE-2022-39356 being actively exploited?
Check packagefix.dev — the CISA KEV catalog updates daily.
How do I verify the fix for CVE-2022-39356?
After updating, paste your composer.json into PackageFix again. If CVE-2022-39356 no longer appears in the CVE table, the fix is applied.